Group items tagged

bean-validation JPA, Bean Validation Shows how to use Arquillian to test Bean Validation

ejb-security Security, EJB Shows how to use Java EE Declarative Security to Control Access to EJB 3

payment-cdi-event CDI Demonstrates how to use CDI 1.0 Events

richfaces-validation RichFaces Demonstrates RichFaces and bean validation

ejb-in-war JSF, WAR, EJB Packages an EJB JAR in a WAR

greeter EJB, JPA, JSF, JTA, CDI Demonstrates the use of CDI 1.0, JPA 2.0, JTA 1.1, EJB 3.1 and JSF 2.0

helloworld-mdb EJB, MDB, JMS Demonstrates the use of JMS 1.1 and EJB 3.1 Message-Driven Bean

helloworld-rs JAX-RS, CDI Demonstrates the use of CDI 1.0 and JAX-RS

kitchensink BV, EJB, JAX-RS, JPA, JPA, JSF, CDI

servlet-async CDI, EJB, Servlet Demonstrates CDI, plus asynchronous Servlets and EJBs

servlet-security Security, Servlet Demonstrates how to use Java EE declarative security to control access to Servlet 3

shopping-cart EJB Demonstrates a stateful session bean

tasks Arquillian, JPA Demonstrates testing JPA using Arquillian

Asynchronous Servlets Performance

With a non NIO or non Continuation based server, this would require around 11,000 threads to handle 10,000 simultaneous users. Jetty handles this number of connections with only 250 threads.

Classical synchronous model: 10,000 concurrent users -> 11,000 server threads. 1.1 ratio.

Comet asynchronous model: 10,000 concurrent users -> 250 server threads. 0.025 ratio.

classical (synchronous) servlet model

request -> immediate processing -> response

Comet implementations rely on a different model:

request -> wait for available data -> response

With synchronous servlet processing, each request is handled by one dedicated server thread

org.granite.gravity.tomcat.GravityTomcatServlet

/gravityamf/*

6.3.1. Supported Application Servers

GraniteDS provides a generic servlet implementation that can work in any compliant servlet container

blocking IO and thus will provide relatively limited scalability

GraniteDS thus provides implementations of non blocking messaging for the most popular application servers.

asynchronous non blocking servlets

JBoss 5+org.granite.gravity.jbossweb.GravityJBossWebServletOnly with APR/NIO enabled (APR highly recommended)

GlassFish 3.xorg.granite.gravity.async.GravityAsyncServletUsing Servlet 3.0

Tomcat 7.x / Jetty 8.xorg.granite.gravity.async.GravityAsyncServletUsing Servlet 3.0

always have to include this library in either WEB-INF/lib

support for CDI is included in the library granite-cdi.jar

10.1. Configuration with Servlet 3 On Servlet 3 compliant containers, GraniteDS can use the new APIs to automatically register its own servlets and filters and thus does not need any particular configuration in web.xml. This automatic setup is triggered when GraniteDS finds a class annotated with @FlexFilter in one of the application archives:

@FlexFilter(configProvider=CDIConfigProvider.class) public class GraniteConfig { }  

list of annotation names that enable remote access to CDI beans

@FlexFilter declaration will setup an AMF processor for the specified url pattern

@TideEnabled

@RemoteDestination

always declared by default

10.3.2. Typesafe Remoting with Dependency Injection

It is possible to benefit from even more type safety by using the annotation [Inject] instead of In. When using this annotation, the full class name is used to find the target bean in the CDI context instead of the bean name.

Security

integration between the client RemoteObject credentials and the server-side container security

client-side component named

API to define runtime authorization checks on the Flex UI

bindable property

represents the current authentication state

integrated with server-side role-based security

clear the security cache manually with

services-config.xml

define manually the endpoint for remote services

service initializer in a static block of the main mxml file

Cdi.getInstance().addComponentWithFactory("serviceInitializer", DefaultServiceInitializer, { contextRoot: "/my-cdi-app" } );

tideAnnotations

is security-specific view of the

and that Subject instances are always bound to a thread to ensure we know who is executing logic at any time during the thread's execution

Subject instance must be created

Subject instance must be bound to the currently executing thread

Subject must be unbound to ensure that the thread remains 'clean' in any thread-pooled environment

Shiro has architectural components that perform this bind/unbind logic automatically

root Shiro Filter performs this logic when filtering a request

after creating a Subject instance, it must be bound to thread

Test Setup

'setup' and 'teardown'

can be used in both unit testing and integration testing

AbstractShiroTest

abstract class AbstractShiroTest

High-Level Overview

essentially a security specific 'view' of the the currently executing user

instances are all bound to (and require) a

When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager

'umbrella’ object that coordinates its internal security components that together form an object graph

‘connector’ between Shiro and your

Shiro looks up many of these things from one or more Realms configured for an application

component responsible determining users' access control in the application

if a user is allowed to do something or not

knows how to create and manage user

lifecycles

Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available

Shiro will use

if available, (e.g. Servlet Container)

if there isn't one, such as in a standalone application or non-web environment, it will use its

exists to allow any datasource to be used to

performs Session persistence (CRUD) operations on behalf of the SessionManager

allows any data store to be plugged in to the Session Management infrastructure

creates and manages Cache instance lifecycles used by other Shiro components

improve performance while using these data source

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

listen to lifecycle events during a session's lifetime

retain the IP address or host name of the host from where the session was initiated

can be prolonged via a touch() method to keep them 'alive' if desired

can use Shiro sessions in existing web applications and you

easily stored in any data source

can be

across applications if needed

'poor man's SSO'

simple sign-on experience since the shared session can retain authentication state

interface-based and implemented with POJOs

allows you to easily configure all session components with any JavaBeans-compatible configuration format, like JSON, YAML

easily extend

customize session management functionality

session data can be easily stored in any number of data sources

easily clustered using any of the readily-available networked caching products

no matter what container you deploy to, your sessions will be clustered the same way

No need for container-specific configuration!

Shiro sessions can be 'shared' across various client technologies

listen for these events and react to them for custom application behavior

SecurityUtils.getSubject()

currentUser.getSession()

If the Subject already has a Session, the boolean argument is ignored and the Session is returned immediately

If the Subject does not yet have a Session and the create boolean argument is true,

and returned.

If the Subject does not yet have a Session and the create boolean argument is false, a new session will not be created and null is returned.

method functions the same way as the

HttpServletRequest.getSession(boolean create) method:

Step 2 securing some content

create a database that will hold the list of the authorized users along with their password

Create a new directory “auth” and add a new JSP under it, let’s call it “BackOffice.jsp“

enable Shiro into our project by adding a ServletFilter into our Web.xml

 <filter-class>05            org.apache.shiro.web.servlet.IniShiroFilter06        </filter-class>

10    <filter-mapping>11         <filter-name>ShiroFilter</filter-name>12         <url-pattern>/*</url-pattern>13    </filter-mapping>

classpath:shiro.ini

shiro-core

shiro-web

create shiro.ini under resource dir

07ds.jdbcUrl=jdbc:derby://localhost:1527/shiro_schema08ds.username = APP09ds.password = APP

15/auth/** = authcBasic16/** = anon

jdbcRealm.authenticationQuery

jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm

setup the jdbc realm, this is where Shiro will find the authorized users

map the URLs to be protected, all the url under /auth should be authenticated with basic HTTP authentication

All the other URLs should be accessed without authentication

Add a new directory under src let’s call it production we will create a new shiro configuration file compatible with MySQL

06ds.serverName = localhost07ds.user = ADM08ds.password = secret12309ds.databaseName = shiro_schema

jdbcRealm which use a MySQL driver

added the appropriate dependency to maven pom.xml

mysql-connector-java

environment.type

staging

13                <jdbc.user>APP</jdbc.user>14                <jdbc.passwd>APP</jdbc.passwd>15                <jdbc.url>jdbc:derby://localhost:1527/shiro_schema</jdbc.url>16                <jdbc.driver>org.apache.derby.jdbc.ClientDriver</jdbc.driver>

src/main/resources

derbyclient

production

environment.type

45                <jdbc.user>ADM</jdbc.user>46                <jdbc.passwd>secret123</jdbc.passwd>47                <jdbc.ds>com.mysql.jdbc.jdbc2.optional.MysqlDataSource</jdbc.ds>48                <jdbc.serverName>localhost</jdbc.serverName>49                <jdbc.databaseName>shiro_schema</jdbc.databaseName>

src/production/resources

To build and run for staging

To build for production

-Denvironment.type=prod

highly type-safe

consistent

portable

CDI enhances the Java EE programming model in two more important ways

allows you to use EJBs directly as JSF backing beans

CDI allows you to manage the scope, state, life-cycle and context for objects in a much more declarative fashion, rather than the programmatic way

CDI has no component model of its own

set of services that are consumed by Java EE components such as managed beans, Servlets and EJBs.

well-defined create/destroy life-cycle that you can get callbacks for via the @PostConstruct and @PreDestroy annotations.

Managed beans

annotation

CDI also integrates with JSF via EL bean name resolution

CDI does not directly support business component services such as transactions, security, remoting, messaging

JSR 330 defines a minimalistic API for dependency injection solutions and is primarily geared towards non-Java EE environments.

Figure 1 shows how CDI fits with the major APIs in the Java EE platform.

none of this uses string names that can be mistyped and all the code is in Java and so is checked at compile time

are additional pieces of meta-data that narrow down a particular class when more than one candidate for injection exists

granite-beanvalidation.jar if you want to benefit from the integration with the Bean Validation API

configuration file declares 3 differents things

Channel endpoint

Service factories

Service/destinations

destinations using this factory will route incoming remote calls to EJB 3

endpoint

factory 

destination

channel 

factory

TomEE+

OpenEJB

Java API for XML Web Services (JAX-WS) Java API for RESTful Web Services (JAX-RS) Java EE Connector Architecture Java Messaging Service (JMS)

Java Servlets Java ServerPages (JSP) Java ServerFaces (JSF) Java Transaction API (JTA)