Seam Identity Management

During a recent coding getaway to Maine (see my post on the 2011 HackFestaThon) I decided to write a basic Seam project as a starting point for my future Seam based web applications.  The idea is to provide common features such as Login, Logout, Registration, Forgot Password, User Management, Audit Logging, Image Upload Handling, Video Upload Handling, etc… so next time I have an idea that I want to hack together I won’t have to re-write or copy-paste in basic functionality like that.

I spent about a day working on things before I discovered that I really should be using the Seam framework’s Identity Management feature.  So I threw out everything I’d done, and started by re-reading the docs, and went from there.  Seam’s Identity Management framework is VERY powerful, but is also a little complicated to get going and in many cases it seems like it would easier to just write stuff from scratch.  I’m banking on the powerful stuff being worth the initial learning curve and a little extra pain.

When I get the starter project in a more complete state I will be open sourcing the whole thing to help others along, but I wanted to share a few things I’ve learned so far:

In order to use the Email address as the login instead of a username, you need to remove the username property from your UserAccount entity and annotate the Email address property like so:

@NotNull
@UserPrincipal
@Email
public String getEmail() {
    return email;
}

Actions like Registration need a RunAsOperation inner class to handle the fine grained security controls that the Identity Management framework enforces:

    public void register() {
	verified = (confirm != null && confirm.equals(password));

	if (!verified) {
	    FacesMessages.instance().addToControl("confirmPassword", "Passwords do not match");
	}
	new RunAsOperation() {
	    public void execute() {
		try {
		    // Check if email address has already been used
		    if (identityManager.userExists(getEmail())) {
			FacesMessages.instance().addToControl("email", "Email has already been used.");
			return;
		    }
		    identityManager.createUser(email, password, mFirstName, mLastName);
		} catch (IdentityManagementException e) {
		    // TODO Auto-generated catch block
		    e.printStackTrace();
		}
		identityManager.grantRole(email, "member");
	    }
	}.addRole("admin").run();

	// Login the user
	identity.getCredentials().setUsername(email);
	identity.getCredentials().setPassword(password);
	identity.login();
    }

Populating custom properties on the User during things like registration requires observing events:

    @Observer(JpaIdentityStore.EVENT_PRE_PERSIST_USER)
    public void prePersistUser(UserAccount pNewUser) {
	// Setup additional UserAccount properties before the user is created
	pNewUser.setRegistrationDate(new Date());
	pNewUser.setOptIn(isOptIn());
    }

You can log audit events with the user’s IP address by doing things like this:

@Scope(ScopeType.EVENT)
@Name("userEvents")
public class UserEvents {
    @Logger
    private Log mLog;

    @Observer(JpaIdentityStore.EVENT_USER_AUTHENTICATED)
    public void loginSuccessful(UserAccount pUser) {
	mLog.info("User logged in with email: #0", pUser.getEmail());
	pUser.setLastLoginDate(new Date());
	Contexts.getSessionContext().set("currentUser", pUser);
	AuditEvent loginEvent = new AuditEvent(((ServletRequest) FacesContext.getCurrentInstance().getExternalContext()
		.getRequest()).getRemoteAddr(), pUser.getId(), "Login Success", null);
	Events.instance().raiseEvent("auditEvent", loginEvent);
    }
}

Hopefully I’ll have the starter project ready soon and will share it with you all. In the meantime, happy hacking!

Spark::red is PCI Level 1 Certified!

image from Purpleslog

I’m happy to announce that Spark::red ATG Hosting has received our PCI DSS 1.2 Level 1 Certification as an eCommerce MSP.  We have been Level 2 certified for a while, but completing our Level 1 certification with TrustWave as our third-party auditor is a huge milestone for us.

PCI DSS is the Payment Card Industry’s Data Security Standard.  It is a set of requirements and guidelines designed to ensure merchants who handle or process credit cards, do so securely.  There are different levels based on transaction volume and Level 1 is the highest level, required for the largest volume merchants.  Level 1 is also the most difficult certification to gain, requiring the strictest security protections, the strongest policies, and a very in depth audit by a certified auditing company, such as TrustWave.  Our certification process has taken many months and the completion of our Level 1 Report of Compliance (RoC) is a testament to our dedication to providing the highest level of secure environments to our clients and safeguarding their systems and information, as well as the information of all our clients’ customers.

At Spark::red we focus strongly on Security and Performance beyond the core ATG hosting services.  We handle more PCI DSS requirements than any other ATG Hosting provider out there.  If you are looking for an ATG Hosting provider to help manage your ATG web application, we can offer PCI Level 1 compliant hosting and handle many of your security needs.

Why you should be using a VPN

What is a VPN?

A VPN, or Virtual Private Network, is basically a secure encrypted link from your computer to a computer or network somewhere else.  Your computer then routes some or all of it’s network traffic over that encrypted link.  Typically they are used to get access from secure private or corporate networks from remote locations.  Your company might have you using a VPN, when you’re working from home, to access the corporate file server, SharePoint, SVN, etc…

Why Should You Use a VPN?

Wireless networks are more and more ubiquitous.  You’ll find WiFi at your local coffee shop, book store, McDonalds, and more.  WiFi is amazingly convenient.  It’s lets us stay connected and work from anywhere.  Unfortunately it is also typically insecure.  All your internet traffic is flying around through the air, and anyone can see it.  Many WiFi networks use various types of encryption to protect your traffic, however most of those encryption mechanisms aren’t actually that secure.  The technology to break the encryption easily has been around for a while.

Recently it’s been made ten time easier:  A new Firefox plug-in called Firesheep automatically captures wireless traffic, and presents clickable buttons which allow you to hijack (take over) other people’s sessions on common websites such as Facebook, Twitter, and more.

Even if you use SSL/HTTPS for logging in, many websites pass the session cookie over subsequent non-secure/non-SSL requests

If you are using Wifi in any public location, you are potentially at risk of having your sessions and passwords stolen.  Using a VPN prevents this by fully encrypting all of your network traffic between your laptop and a secure server somewhere far away from the insecure WiFi network.

Fact: Everyone who uses WiFi should be using a VPN to protect themselves.

So How Do I Get a VPN?

In the past setting up a VPN was usually a mix of expensive commercial products and complicated technical configurations.  That’s why usually it’s only large companies which use them.

Today there are much cheaper and easier options.  One example is Golden Frog’s VyprVPN,  a Personal, private and secure VPN.  It’s a very affordable, easy to setup, VPN solution.  I use it whenever I’m at the coffee shop or on pubic WiFi networks.  I strongly recommend you check it out, or another similar service.  This is a very real privacy and security threat.

ATG Newsletter Went Out

Our first Spark::red ATG Newsletter was sent on Tuesday morning! We’re pleased and proud to have delivered the first of many monthly ATG Newsletters.

In this newsletter we talk about the importance of improving your site performance, especially now that Google is using site performance as a search result ranking factor. We talk about Why, and provide several helpful links to help with How. I’d be remiss if I didn’t plug the fantastic ATG Hosting that Spark::red can provide, including extensive performance tuning at every level, web, app and database, using knowledge gained from 12 years of ATG experience.

We also reveal our PCI Compliant ATG Encryption Module which is the first PCI complaint credit card encryption option for the ATG eCommerce Platform. It handles strong encryption, key management, importing plain text and encrypted data, periodic re-keying/re-encryption, and more. It’s the fastest and most affordable path to being able to pass a PCI audit for your ATG eCommerce application. Contact us for more info: sales@sparkred.com.

You can see the whole newsletter here: Spark::red ATG Newsletter #1, and if you haven’t already, I recommend signing up so you don’t miss the next one: Sign Up for the Sparkred ATG Newsletter!