Group items tagged

this annotation bypasses the management layer and as such it is recommended only for development and testing purposes

Defining a Managed DataSource

Installing a JDBC driver as a deployment

Installing the JDBC Driver

deployment or as a core module

managed by the application server (and thus take advantage of the management and connection pooling facilities it provides), you must perform two tasks.  First, you must make the JDBC driver available to the application server; then you can configure the data source itself.  Once you have performed these tasks you can use the data source via standard JNDI injection.

recommended way to install a JDBC driver into the application server is to simply deploy it as a regular JAR deployment.  The reason for this is that when you run your application server in domain mode, deployments are automatically propagated to all servers to which the deployment applies; thus distribution of the driver JAR is one less thing for administrators to worry about.

Note on MySQL driver and JDBC Type 4 compliance: while the MySQL driver (at least up to 5.1.18) is designed to be a Type 4 driver, its jdbcCompliant() method always return false. The reason is that the driver does not pass SQL 92 full compliance tests, says MySQL. Thus, you will need to install the MySQL JDBC driver as a module (see below).

Installing a JDBC driver as a module

<module xmlns="urn:jboss:module:1.0" name="com.mysql">  <resources>    <resource-root path="mysql-connector-java-5.1.15.jar"/>  </resources>  <dependencies>    <module name="javax.api"/>  </dependencies></module>

jboss-7.0.0.<release>/modules/com/mysql/main

define your module with a module.xml file, and the actual jar file that contains your database driver

content of the module.xml file

Under the root directory of the application server, is a directory called modules

module name, which in this example is com.mysql

where the implementation is, which is the resource-root tag with the path element

define any dependencies you might have.  In this case, as the case with all JDBC data sources, we would be dependent on the Java JDBC API's, which in this case in defined in another module called javax.api, which you can find under modules/javax/api/main as you would expect.

Defining the DataSource itself

   <datasource jndi-name="java:jboss/datasources/MySqlDS" pool-name="MySqlDS">      <connection-url>jdbc:mysql://localhost:3306/EJB3</connection-url>         <driver>com.mysql</driver>

    <drivers>      <driver name="com.mysql" module="com.mysql">        <xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasource-class>      </driver>    </drivers>

jboss-7.0.0.<release>/domain/configuration/domain.xml or jboss-7.0.0.<release>/standalone/configuration/standalone.xml

High-Level Overview

essentially a security specific 'view' of the the currently executing user

instances are all bound to (and require) a

When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager

'umbrella’ object that coordinates its internal security components that together form an object graph

‘connector’ between Shiro and your

Shiro looks up many of these things from one or more Realms configured for an application

component responsible determining users' access control in the application

if a user is allowed to do something or not

knows how to create and manage user

lifecycles

Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available

Shiro will use

if available, (e.g. Servlet Container)

if there isn't one, such as in a standalone application or non-web environment, it will use its

exists to allow any datasource to be used to

performs Session persistence (CRUD) operations on behalf of the SessionManager

allows any data store to be plugged in to the Session Management infrastructure

creates and manages Cache instance lifecycles used by other Shiro components

improve performance while using these data source

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

SQL injection errors occur when:

Data enters a program from an

The data used to

consequences are:

Confidentiality:

sensitive data

Authentication

user names and passwords

Authorization

change this information

Integrity

read sensitive information

changes or even delete this information

JSR-303 (“Bean Validation”) ActionScript3 framework for form validation

validation framework is a specific adaptation of the JSR-303 (Bean Validation) specification to Flex: like its Java counterpart, it relies on validation annotations placed on bean properties and provides an engine API that lets you validate your forms without writing by hand a specific validator for each of your input fields

code generation tools provided by GraniteDS so that when you write your Java entity bean with validation annotations, they are automatically replicated in your ActionScript3 beans

problem with LCDS is mainly that it promotes a strict “client / server” architecture, with – roughly speaking – a heavy Flex client application connected to a server almost reduced to a database frontend

big majority of  these organizations use BlazeDS, a free and open-source subset of LCDS

need more advanced mechanisms than just Remoting start looking for open-source libraries to enable deeper integrations with the Java business layer, and GraniteDS is for sure the most popular project

“Flex Data Services” (now renamed to “Live Cycle Data Services”)

Flex Data Services seemed too “client-centric”

listen to lifecycle events during a session's lifetime

retain the IP address or host name of the host from where the session was initiated

can be prolonged via a touch() method to keep them 'alive' if desired

can use Shiro sessions in existing web applications and you

easily stored in any data source

can be

across applications if needed

'poor man's SSO'

simple sign-on experience since the shared session can retain authentication state

interface-based and implemented with POJOs

allows you to easily configure all session components with any JavaBeans-compatible configuration format, like JSON, YAML

easily extend

customize session management functionality

session data can be easily stored in any number of data sources

easily clustered using any of the readily-available networked caching products

no matter what container you deploy to, your sessions will be clustered the same way

No need for container-specific configuration!

Shiro sessions can be 'shared' across various client technologies

listen for these events and react to them for custom application behavior

SecurityUtils.getSubject()

currentUser.getSession()

If the Subject already has a Session, the boolean argument is ignored and the Session is returned immediately

If the Subject does not yet have a Session and the create boolean argument is true,

and returned.

If the Subject does not yet have a Session and the create boolean argument is false, a new session will not be created and null is returned.

method functions the same way as the

HttpServletRequest.getSession(boolean create) method:

All managed entity instances are unique in a Tide context

Tide keeps the classic three layers web architecture, when LCDS removes the service layer, and is some kind of remote JPA provider for Flex applications

Tide approach is to minimize the amount of code needed to make things work between the client and the server

principles are very similar to the ones of JBoss Seam, which is the main reason why the first integration of Tide has been done with this framework. Integrations with Spring, EJB 3 and CDI are also available

need to compile your MXML/AS sources with the granite-essentials.swc and granite.swc libraries

Subject

'Subject' can mean a human being, but also a 3rd party process, daemon account, or anything similar. It simply means 'the thing that is currently interacting with the software'

Subject currentUser = SecurityUtils.getSubject();

SecurityManager

SecurityManager manages security operations for all users

Realms

Realm acts as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. That is, when it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.

Realm is essentially a security-specific DAO

Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more

Authorization

A permission is a raw statement of functionality, for example ‘open a door’, ‘create a blog entry’, ‘delete the ‘jsmith’ user’, etc. By having permissions reflect your application’s raw functionality, you only need to change permission checks when you change your application’s functionality. In turn, you can assign permissions to roles or to users as necessary at runtime.

“Run As” support for assuming the identity of another Subject

multipart/form-data

multipart/form-data

The catch comes when you look at the

there is hardly any behavior on these objects, making them little more than bags of getters and setters

I was chatting with

fundamental horror

it's so contrary to the basic idea of object-oriented design

data and process together

procedural style design

completely miss the point of what object-oriented design is all about

It's also worth emphasizing that putting behavior into the domain objects

One source of confusion in all this is that many OO experts do recommend putting a layer of procedural services on top of a domain model, to form a Service Layer

this isn't an argument to make the domain model

service layer advocates use a service layer in conjunction with a behaviorally rich domain model.

does not contain business rules or knowledge, but

data background

J2EE's Entity Beans

GraniteDS validation framework provides a set of standard constraints

Constraint Description AssertFalse The annotated element must be false AssertTrue The annotated element must be true DecimalMax The annotated element must be a number whose value must be lower or equal to the specified maximum DecimalMin The annotated element must be a number whose value must be greater or equal to the specified minimum Digits The annotated element must be a number whithin accepted range Future The annotated element must be a date in the future Max The annotated element must be a number whose value must be lower or equal to the specified maximum Min The annotated element must be a number whose value must be greater or equal to the specified minimum NotNull The annotated element must not be null Null The annotated element must be null Past The annotated element must be a date in the past Pattern The annotated String must match the supplied regular expression Size The annotated element size must be between the specified boundaries (included)

must use

Note that the bundle name must always be set to "ValidationMessages".

Caching: Spring Security optionally integrates with Spring's Ehcache factory. This flexibility means your database (or other authentication repository) is not repeatedly queried for authentication information when using Spring Security with stateless applications.

Run-as replacement: The system fully supports temporarily replacing the authenticated principal for the duration of the web request or bean invocation. This enables you to build public-facing object tiers with different security configurations than your backend objects.

Tag library support: Your JSP files can use our taglib to ensure that protected content like links and messages are only displayed to users holding the appropriate granted authorities. The taglib also fully integrates with Spring Security's ACL services, and obtaining extra information about the logged-in principal.

User Provisioning APIs: Support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration.

Enterprise-wide single sign on using CAS 3: Spring Security integrates with JA-SIG's open source Central Authentication Service (CAS)

implementation of the Flex remoting protocol and of the AMF3 data format, with out-of-the-box adapters for all usual Java frameworks

Changes for Hibernate 3.5 applications

if your application uses Hibernate 3 classes that are not available in Hibernate 4, for example, some of the validator or search classes, you may see ClassNotFoundExceptions when you deploy your application. If you encounter this problem, you can try one of two approaches: You may be able to resolve the issue by copying the specific Hibernate 3 JARs containing those classes into the application "/lib" directory or by adding them to the classpath using some other method. In some cases this may result in ClassCastExceptions or other class loading issues due to the mixed use of the Hibernate versions, so you will need to use the second approach. You need to tell the server to use only the Hibernate 3 libraries and you will need to add exclusions for the Hibernate 4 libraries. Details on how to do this are described here: JPA Reference Guide.

In previous versions of the application server, the JCA data source configuration was defined in a file with a suffix of *-ds.xml. This file was then deployed in the server's deploy directory. The JDBC driver was copied to the server lib/ directory or packaged in the application's WEB-INF/lib/ directory. In AS7, this has all changed. You will no longer package the JDBC driver with the application or in the server/lib directory. The *-ds.xml file is now obsolete and the datasource configuration information is now defined in the standalone/configuration/standalone.xml or in the domain/configuration/domain.xml file. A JDBC 4-compliant driver can be installed as a deployment or as a core module. A driver that is JDBC 4-compliant contains a META-INF/services/java.sql.Driver file that specifies the driver class name. A driver that is not JDBC 4-compliant requires additional steps, as noted below.

DataSource Configuration

domain mode, the configuration file is the domain/configuration/domain.xml

standalone mode, you will configure the datasource in the standalone/configuration/standalone.xml

MySQL datasource element:

        <connection-url>jdbc:mysql://localhost:3306/YourApplicationURL</connection-url>        <driver-class> com.mysql.jdbc.Driver </driver-class>        <driver> mysql-connector-java-5.1.15.jar </driver>

       <security>            <user-name> USERID </user-name>            <password> PASSWORD</password>        </security>

example of the driver element for driver that is not JDBC 4-compliant. The driver-class must be specified since it there is no META-INF/services/java.sql.Driver file that specifies the driver class name.

 <driver-class>com.mysql.jdbc.Driver</driver-class>

JDBC driver can be installed into the container in one of two ways: either as a deployment or as a core module

Install the JDBC driver

Install the JDBC driver as a deployment

In AS7 standalone mode, you simply copy the JDBC 4-compliant JAR into the AS7_HOME/standalone/deployments directory

example of a MySQL JDBC driver installed as a deployment:     AS7_HOME/standalone/deployments/mysql-connector-java-5.1.15.jar