Group items tagged

Permission Schemes

A permission scheme is a set of

assignments for the project permissions

Every project has a permission scheme

One permission scheme can be associated with multiple projects

Permission schemes prevent having to set up permissions individually for every project

JdbcRealm

A Realm is a security component that can access application-specific security entities such as users, roles, and permissions to determine authentication and authorization operations

security-specific DAOs

If for some reason you don't want your Realm implementation to perform authentication duties, you should override the supports(org.apache.shiro.authc.AuthenticationToken) method to always return false

does not require you to implement or extend any User, Group or Role interfaces or classes

Shiro tries to maintain a non-intrusive development philosophy

Separating object id and business key

recommend using the "semi"-unique attributes of your persistent class to implement equals() (and hashCode()

The database identifier property should only be an object identifier, and basically should be used by Hibernate only

Instead of using the database identifier for the equality comparison, you should use a set of properties for equals() that identify your individual objects

"name" String and "created" Date, I can use both to implement a good equals() method

Workaround by forcing a save/flush

work around by forcing a save() / flush() after object creation and before insertion into the set

Note that it's highly inefficient and thus not recommended

by the container in order to realize common use cases

An interface becomes a vehicle for encapsulation or abstraction,

“Interfaces are used to encode similarities which the classes of various types share, but do not necessarily constitute a class relationship. For instance, a human and a parrot can both whistle; however, it would not make sense to represent Humans and Parrots as subclasses of a Whistler class. Rather they would most likely be subclasses of an Animal class (likely with intermediate classes), but both would implement the Whistler interface.” [http://en.wikipedia.org/wiki/Java_interface]

Extensive use of interfaces derives from a

Premature Extensibility Is the Root of Some Evil

The number of artifacts will double and you will have to introduce a configuration facility

What is next after robustness diagrams? Robustness diagrams often act as bridge from use cases to other models.  For example, it is quite common to create sequence diagrams which represent the detailed design logic required to support the use case

Add an entity for each business concept

Add a use case whenever one is included in the scenario

Add a controller for activities that involve several other elements

Add a controller for each business rule

Add a controller to manage the overall process of the scenario being modeled

Add a boundary element for each major user interface element such as a screen or a report.

JPA 2.0, still contains only a subset of the features supported by many database vendors

features not supported in JP QL.

performance required by an application is to replace the JP QL query with a hand-optimized SQL version. This may be a simple restructuring of the query that the persistence provider was generating, or it may be a vendor-specific version that leverages query hints and features specific to a particular database.

recommend avoiding SQL initially if possible and then introducing it only when necessary

benefits of SQL query support is that it uses the same Query interface used for JP QL queries. With some small exceptions that will be described later, all the Query interface operations discussed in previous chapters apply equally to both JP QL and SQL queries.

keep application code consistent because it needs to concern itself only with the EntityManager and Query interfaces.

An unfortunate result of adding the TypedQuery interface in JPA 2.0 is that the createNativeQuery() method was already defined in JPA 1.0 to accept a SQL string and a result class and return an untyped Query interface

consequence is that when the createNativeQuery() method is called with a result class argument one might mistakenly think it will produce a TypedQuery, like createQuery() and createNamedQuery() do when a result class is passed in.

@NamedNativeQuery

resultClass=Employee.class

The fact that the named query was defined using SQL instead of JP QL is not important to the caller

SQL Result Set Mapping

JPA provides SQL result set mappings to handle these scenarios

A SQL result set mapping is defined using the @SqlResultSetMapping annotation. It may be placed on an entity class and consists of a name (unique within the persistence unit) and one or more entity and column mappings.

entities=@EntityResult(entityClass=Employee.class)

@SqlResultSetMapping

Multiple Result Mappings

A query may return more than one entity at a time

The SQL result set mapping to return both the Employee and Address entities out of this query

emp_id, name, salary, manager_id, dept_id

address_id, id, street, city, state, zip

order in which the entities are listed is not important

ntities={@EntityResult(entityClass=Employee.class), @EntityResult(entityClass=Address.class)}

Write unit tests

without involving the EntityManager

Let the tool (JPA-provider) generate the DDL

a) stop writing dynamic queries

b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query

Primary Defenses:

Option #1: Use of Prepared Statements (Parameterized Queries)

Option #3: Escaping all User Supplied Input

Additional Defenses:

Perform: White List Input Validation

Primary Defenses

Defense Option 1: Prepared Statements (Parameterized Queries)

attacker is not able to

of a query, even if SQL commands are inserted by an attacker

allows the database to

distinguish

between

Defense Option 3: Escaping All User Supplied Input

"strong" password policy

Secure Password Recovery Mechanism

Require re-authentication for Sensitive Features

Authentication and Error Messages

can be used for the purposes of user ID and password enumeration

Incorrectly implemented error messages

generic manner

respond with a generic error message regardless if the user ID or password was incorrect

give no indication to the status of an existing account

Authentication responses

Invalid user ID or password"

does not indicate if the user ID or password is the incorrect parameter

Transmit Passwords Only Over TLS

must be exclusively accessed over TLS

unencrypted session ID

credentials

Implement Account Lockout

lock out an account if more than a preset number of unsuccessful login attempts are made

can produce a result that locks out entire blocks of application users accounts

is to lockout accounts for a number of hours

Session Management General Guidelines

 logout() 

An implementation of this interface must be thread safe

If authorization fails, either because the user is not logged in or because it doesn't have required rights, it must throw an appropriate org.granite.messaging.service.security.SecurityServiceException.

Writing a Security Service

nothing to do with a true Flex destination

only one instance of this service is used in the entire web-app and will be called by concurrent threads

This method is called upon each and every service method call invocations (RemoteObject) or subscribe/publish actions (Consumer/Producer). When used with RemoteObjects, the authorize method is responsible for checking security, calling the service method, and returning the corresponding result.

default implementation of this method in AbstractSecurityService is to do nothing

security services are not exposed to outside calls

15.6.1.1. What is a role? A role is a group, or type, of user that may have been granted certain privileges for performing one or more specific actions within an application

used to create logical groups of users for the convenient assignment of specific application privileges

15.6.1.2. What is a permission? A permission is a privilege (sometimes once-off) for performing a single, specific action. It is entirely possible to build an application using nothing but permissions, however roles offer a higher level of convenience when granting privileges to groups of users

consisting of three "aspects";

An empty @Restrict implies a permission check of componentName:methodName

implied permission required to call the delete() method is account:delete

equivalent of this would be to write @Restrict("#{s:hasPermission('account','delete')}")

@Restrict annotation may reference any objects that exist within a Seam context. This is extremely useful when performing permission checks for a specific object instance.

selectedAccount

selectedAccount

 Identity.instance().checkRestriction

If the expression specified doesn't evaluate to true, either if the user is not logged in, a NotLoggedInException exception is thrown or if the user is logged in, an AuthorizationException exception is thrown.

High-Level Overview

essentially a security specific 'view' of the the currently executing user

instances are all bound to (and require) a

When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager

'umbrella’ object that coordinates its internal security components that together form an object graph

‘connector’ between Shiro and your

Shiro looks up many of these things from one or more Realms configured for an application

component responsible determining users' access control in the application

if a user is allowed to do something or not

knows how to create and manage user

lifecycles

Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available

Shiro will use

if available, (e.g. Servlet Container)

if there isn't one, such as in a standalone application or non-web environment, it will use its

exists to allow any datasource to be used to

performs Session persistence (CRUD) operations on behalf of the SessionManager

allows any data store to be plugged in to the Session Management infrastructure

creates and manages Cache instance lifecycles used by other Shiro components

improve performance while using these data source

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

Tide will automatically inject shared data and correctly route events without requiring the application developer to write their own mechanism for sharing information or explicitly registering event listeners

Tide events are a simplification on the already existing Flex event framework

Subversion Tagging Plugin — This plugin automatically performs subversion tagging (technically speaking svn copy) on successful build.

ViewVC Plugin — This plugin integrates ViewVC browser interface for CVS and Subversion with Hudson.

Source code management

Build Pipeline Plugin — This plugin creates a pipeline of Hudson\Jenkins jobs and gives a view so that you can visualise it.

Build tools

JBoss Management Plugin — This plugin allows to manage a JBoss Application Server during build procedure

Maven 2 Project Plugin — Jenkin's Maven 2 project type

Phing Plugin — This plugin allows you to use Phing to build PHP projects.

Post build task — This plugin allows the user to execute a shell/batch task depending on the build log output. Java regular expression are allowed.

Promoted Builds Plugin — This plugin allows you to distinguish good builds from bad builds by introducing the notion of 'promotion'.

Publish Over SSH Plugin — Publish files and/or execute commands over SSH (SCP using SFTP)

Selenium AES Plugin — This plugin is for continuous regression test by Selenium Auto Exec Server (AES).

Vagrant Plugin — This plugin allows booting of Vagrant virtual machines, provisioning them and also executing scripts inside of them

Unicorn Validation Plugin — This plugin uses W3C's Unified Validator, which helps improve the quality of Web pages by performing a variety of checks.

Build wrappers

Android Emulator Plugin — Lets you automatically generate, launch and interact with an Android emulator during a build, with the emulator logs being captured as artifacts.

Artifactory Plugin — This plugin allows deploying Maven 2, Maven 3, Ivy and Gradle artifacts and build info to the Artifactory artifacts manager.

AWS Cloudformation Plugin — A plugin that allows for the creation of cloud formation stacks before running the build and the deletion of them after the build is completed.

Build Keeper Plugin — Select a policy for automatically marking builds as "keep forever" to enable long term analysis trending when discarding old builds - or use to protect logs and artifacts from certain builds

Build Name Setter Plugin — This plugin sets the display name of a build to something other than #1, #2, #3, ...

SSH plugin — You can use the SSH Plugin to run shell commands on a remote machine via ssh.

SeleniumRC Plugin — This plugin allows you to create Selenium server instance for each project build.

Vagrant Plugin — This plugin allows booting of Vagrant virtual machines, provisioning them and also executing scripts inside of them

Timestamper — Adds timestamps to the Console Output.

VirtualBox Plugin — This plugin integrates Jenkins with VirtualBox (version 3, 4.0 and 4.1) virtual machine.

Version Number Plugin — This plugin creates a new version number and stores it in the environment variable whose name you specify in the configuration.

VMware plugin — This plugin allows you to start a VMware Virtual Machine before a build and stop it again after the build completes.

AWS Cloudformation Plugin — A plugin that allows for the creation of cloud formation stacks before running the build and the deletion of them after the build is completed.

Desktop Notifier for Jenkins — This is useful for those who are looking for a Desktop Notifier for Jenkins builds to automatically notify you about failed builds directly from their desktops.

Email-ext plugin — This plugin allows you to configure every aspect of email notifications. You can customize when an email is sent, who should receive it, and what the email says.

Google Calendar Plugin — This plugin publishes build records over to Google Calendar

HTML5 Notifier Plugin — Provides W3C Web Notifications support for builds.

Jabber Plugin — Integrates Jenkins with the Jabber/XMPP instant messaging protocol. Note that you also need to install the instant-messaging plugin.

Build reports

Checkstyle Plugin — This plugin generates the trend report for Checkstyle, an open source static code analysis program. 

Clover PHP Plugin — This plugin allows you to capture code coverage reports from PHPUnit. For more information on how to set up PHP projects with Jenkins have a look at the Template for Jenkins Jobs for PHP Projects.

Crap4J Plugin — This plugin reads the "crappy methods" report from Crap4J. Hudson will generate the trend report of crap percentage and provide detailed information about changes.

Dependency Analyzer Plugin — This plugin parses dependency:analyze goal from maven build logs and generates a dependency report

Dependency Graph View Plugin — Shows a dependency graph of the projects using graphviz. Requires a graphviz installation on the server.

FindBugs Plugin — This plugin generates the trend report for FindBugs, an open source program which uses static analysis to look for bugs in Java code. 

Grinder Plugin — This plugin reads output result files from Grinder performance tests, and will generate reports showing test results for every build and trend reports showing performance results across builds.

JSUnit plugin — This plugin allows you publish JSUnit test results

Performance Plugin — This plugin allows you to capture reports from JMeter and JUnit . Hudson will generate graphic charts with the trend report of performance and robustness.

PerfPublisher Plugin — This plugin generates global and trend reports for tests results analysis. Based on an open XML tests results format, the plugin parses the generated files and publish statistics, reports and analysis on the current health of the project.

PMD Plugin — This plugin generates the trend report for PMD, an open source static code analysis program. 

Sonar plugin — Quickly benefit from Sonar, an open-source dashboard based on many analysis tools like Checkstyle, PMD and Cobertura.

testng-plugin — This plugin allows you to publish TestNG results.

Violations — This plug-in generates reports static code violation detectors such as checkstyle, pmd, cpd, findbugs, codenarc, fxcop, stylecop and simian.

xUnit Plugin — This plugin makes it possible to publish the test results of an execution of a testing tool in Jenkins.

Artifact uploaders

ArtifactDeployer Plugin — This plugin makes it possible to copy artifacts to remote locations.

Artifactory Plugin — This plugin allows deploying Maven 2, Maven 3, Ivy and Gradle artifacts and build info to the Artifactory artifacts manager.

Confluence Publisher Plugin — This plugin allows you to publish build artifacts as attachments to an Atlassian Confluence wiki page.

Deploy Plugin — This plugin takes a war/ear file and deploys that to a running remote application server at the end of a build

FTP-Publisher Plugin — This plugin can be used to upload project artifacts and whole directories to an ftp server.

HTML Publisher Plugin

Publish Over FTP Plugin — Publish files over FTP

Publish Over SSH Plugin — Publish files and/or execute commands over SSH (SCP using SFTP)

S3 Plugin — Upload build artifacts to Amazon S3

SCP plugin — This plugin uploads build artifacts to repository sites using SCP (SSH) protocol.

Hudson Helper for Android — Monitor your CI builds right from your Android device.

Hudson Mobi, the iPhone, iPod and Android client for Hudson CI — The iPhone, iPod and iPad client for Hudson CI monitoring on the road.

Hudson Monitor for Android — Monitor and display the status of your builds on your Android™ phone.

External site/tool integrations

ChuckNorris Plugin — Displays a picture of Chuck Norris (instead of Jenkins the butler) and a random Chuck Norris 'The Programmer' fact on each build page.

UI plugins

Active Directory plugin — With this plugin, you can configure Jenkins to authenticate the username and the password through Active Directory.

Audit Trail Plugin — Keep a log of who performed particular Jenkins operations, such as configuring jobs.

JClouds Plugin — This plugin uses JClouds to provide slave launching on most of the currently usable Cloud infrastructures.

Checkstyle Plugin — This plugin generates the trend report for Checkstyle, an open source static code analysis program. 

FindBugs Plugin — This plugin generates the trend report for FindBugs, an open source program which uses static analysis to look for bugs in Java code. 

JIRA Plugin — This plugin integrates Atlassian JIRA to Jenkins.

M2 Release Plugin — This plugin allows you to perform a release build using the maven-release-plugin from within Jenkins.

PMD Plugin — This plugin generates the trend report for PMD, an open source static code analysis program. 

Meme Generator Plugin — Generate Meme images when a build fails (and returns to stable), and post them on the project page.

Asynchronous Servlets Performance

With a non NIO or non Continuation based server, this would require around 11,000 threads to handle 10,000 simultaneous users. Jetty handles this number of connections with only 250 threads.

Classical synchronous model: 10,000 concurrent users -> 11,000 server threads. 1.1 ratio.

Comet asynchronous model: 10,000 concurrent users -> 250 server threads. 0.025 ratio.

classical (synchronous) servlet model

request -> immediate processing -> response

Comet implementations rely on a different model:

request -> wait for available data -> response

With synchronous servlet processing, each request is handled by one dedicated server thread

However, those locks limit concurrency and scalability when multiple transactions are executing insert statements at the same time

Backward compatibility.

not safe

when using

Auto-increment values are not ensured to be the same on the slaves as on the master if you use innodb_autoinc_lock_mode = 2 (“interleaved”) or configurations where the master and slaves do not use the same lock mode

mandatory