ATG Dynamo Project Templates
Building an ATG Project from scratch involves setting up a bunch of directories for things like source code, configs, liveconfig, web applications, creating a build file, etc… This can be time consuming. Many of the build templates I have encountered have been overly complex, so I have created a pair of simple ATG project templates, with build scripts, based on the latest project I have been working on. They have some place-holder JSPs, but are not full fledged applications, just starter project templates. There are .project files for Eclipse in each, but the overall structure and build file should work in any IDE.
This project template and build file are designed for an application built and deployed against ATG Dynamo 7.1 and DAS 6.3.
This project template and build file are designed for an application built against ATG Dynamo 2006.3 or ATG Dynamo 2007.1 and deployed on JBoss 4.
ATG Dynamo Modules
I am providing a collection of ATG modules designed to be easily deployable to handle a small, common, specific task or feature. They are packaged as a set of modules under an empty parent module for easier packaging. You just add which ever modules you wish to use to your modules list in your environment.sh file and ignore the rest.
The current version of the open source Digital Sanctuary ATG Modules is 1.2 (released on May 4th, 2008). They have been tested on ATG 7.1, but should work on 2006.3 and 2007.1 as well. You can download the module pack here:
Open Source ATG Modules (v 1.2) – updated on May 4th, 2008
This code is provided under the Apache License (version 2.0) which allows you to use it freely in both open and closed source products and projects. It allows you to modify the code as you see fit, without requiring you to release your changes or code. It’s a non-viral license and you should feel comfortable using this code in any commercial project. As a personal request I would very much appreciate any enhancements that you make being released back to me, so that these modules can be enhanced for everyone.
Currently the module list is:
A pipeline servlet which allows you to modify the cache expiration and no-cache response headers based on mime-type, parent directory, and specific URI using a simple ATG configuration file. This is especially useful if you are using transparent caching via Apache mod_cache or a CDN which keys off of cache headers in the response.
An ATG captcha implementation built on SimpleCaptcha. It includes SimpleCaptcha libraries, the configurations needed to create the captchas, and a FormHandler to validate the captcha text. This is built on code developed by Robert Ostronic.
Provides AES-256 encryption and decryption functionality from an ATG component. Also provides a Repository Property Descriptor which allows you to transparently encrypt properties in a Repository. Includes a key generation tool, or you can use this online one: AES Key Generator.
A pipeline servlet which replaces the Request object’s remoteAddr property with the true originating IP of the request, based on data in the X-FORWARDED-FOR request header.
An ATG Droplet which allows you to easily generate configurable RSS Feeds from Repository Items.
This module makes replacing the default ATG Personalization Profile password hashing mechanism of un-salted MD5 hash, with a much more secure salted SSHA-256 hash as simple as activating this module.
The reasoning behind hashing passwords instead of simply storing the password is that people who gain access to your production database, either legitimately (DBAs, production support, etc…) or illegitimately (hackers, crackers, etc…) will be unable to see the user’s real password. This would prevent them from logging in to the site as that user, or worse, trying that username/password combination at other popular sites and potentially accessing the user’s MySpace, GMail, or eTrade account.
The out of the box behavior users an un-salted MD5 hashing algorithm. Unfortunately this is not very secure. Unsalted hashes, basically hashes without a special key, are easy to attack using brute force. If you feed a dictionary into a md5 hasher, you will end up knowing the hashes of all of those words, and you can map back and forth easily. These so-called Rainbow Files are easily available online. Recently I discovered that over 33% of user password MD5 hashes in a large production system were able to be found in rainbow files online. People tend to use simple passwords, which are easily looked up in these files.
By switching to a salted SSHA-256 hashing algorithm, user’s passwords are more secure in two ways. First, by using a salt during the hashing process, Rainbow Files cannot be used to attack the password. It would require a separate Rainbow File for each possible salt and the permutations make computing that many Rainbow Files impossible with current computing power. Secondly the SSHA-256 algorithm is more secure than MD5, with less collisions and without a known weakness allowing an attacker to force a collision.
The short of it is that the out of the box behavior of ATG Personalization is not secure enough for today’s needs. This module will secure your user’s password much more effectively.
Common utility code. This includes code used by many of the other modules, and also provides helpful utility classes you may find useful in your own application.