Karaf's JAAS modules in action

Karaf 2.1.0 has been just released! Among other new features, it includes a major revamp in the JAAS module support:
  1. Encryption support
  2. Database Login Module
  3. Role Policies
This post will use all 3 features, in order to create a secured Wicket application on Karaf, using Karaf's JAAS modules and Wicket's auth-roles module.

The application that we are going to build is a simple wicket application. It will be deployed on Karaf and the user credentials will be stored in a mysql database. For encrypting the password we will use Karaf's Jasypt encryption service implementation, to encrypt passwords using MD5 algorithm in hexadecimal format.

Step 1: Creating the database
The database that we are going to create will the simplest possible. We need a table that will hold username and password for each user. Each user may have one or more roles, so we will need a new table to hold the roles of the users.

We are going to create a user named "iocanel", that will have the roles "manager" and "admin" and password "koala" (stored in MD5 with hex output).

Note, for cases that a schema for user credentials already exists, Karaf's database login module offer's customization by allowing the user to provide custom queries for password and role retrieval.

Step 2: Creating a data source
In order to create a data source we will use the blueprint to create a DataSource as an OSGi service.
Before we do that we will need to install the mysql bundle and its prerequisite.
They can be easily installed from karaf shell.

osgi:install wrap:mvn:javax.xml.stream/stax-api/1.0
osgi:install wrap:mvn:mysql/mysql-connector-java/5.1.13 

Once all prerequisites are meet the datasource can be created by dropping the following xml under karaf deploy folder or by adding it under OSGI-INF/blueprint folder of our bundle.

Step 3: Creating a JAAS realm
In the same manner the new JAAS realm can be created by dropping the blueprint xml under the deploy folder or by adding it under OSGI-INF/blueprint folder of our bundle.

The new realm will make use of Karaf's JDBCLoginModule, and will also use MD5 encryption with hexadecimal output. Finally, it will be passed a role policy, that will add the "ROLE_" prefix on all role principals. This way our application can identify the role principals, without depending to the Karaf implementation.

If this isn't that clear, note that JAAS specifies interface Principal and its implementations provide User & Role principals (as implementing classes), making it impossible to distinguish between these two without having a dependency to the JAAS implementation or by having a common convention. This is what Role Policies is about.

Step 4: Creating the wicket application
Everything is set and all we need is to create the wicket application that will make use of our new JAAS realm in order to authenticate.

The first step is to create a Wicket Authenticated Session:

Now we need to tell our application to create such sessions and also where the location of our sign in page will be. For this purpose we will extend Wicket's AuthenticatedWebApplication class:
Now that everything is set up, we can restrict access to the HomePage to "admins" and "managers" by making use of Wickets

Final Words
I hope you found it useful. The source of this example will be added to this post soon, so stay tuned.

JavaOne and Oracle Develop 2010

I just returned home from Java ONE and Oracle Develop 2010 (which was also my first ONE) and I thought that it would be a good idea to take 5 minutes and share the experience.

The city of San Francisco was awesome and I couldn't find any other place in the world that could be best for the job. The weather, the size and the facilities where exactly what such event required. The organization was good enough and there were tons of sessions that I found exciting.

Don't let it cloud your judgment...
This is an alteration from a famous quote taken from "The Godfather" but its most fitting to this years Java One event. I found the excessive use of the buzz word "cloud" not only annoying but also misleading. There were tons of events, that used this buzzword to draw attention, even though there were not that related. The only thing I didn't see was:
"Taking Sushi to the Sky: Secrets for successful cooking in the premises and in the cloud".
 Note: The name above resembles with actual sessions. I am not implying anything negative about them.

And the winner is... Hadoop
For me by far the most interesting thing I saw in Java One was Apache Hadoop. To put in a sentence:

The Apache Hadoop project develops open-source software for reliable, scalable, distributed computing
I had the luck to join two great session about hadoop.
  1. Extracting Real Value from Your Data with Apache Hadoop. (HOL)
  2. Hadoop vs. Relational Database: Shout-out Between a Java Guy and a Database Guy.  (BOF)
The second one will definitely be published so don't miss it.

I also liked... XSTM
An other pretty interesting session I had the chance to watch was:
  • Simpler and Faster Cloud Applications Using Distributed Transactional Memory.
This was a session related to the open source project XSTM. Which I found so interesting, that if I could also found time, I would definitely love to work with it.

Final Thoughts
I would definitely love to join JavaOne next year too. Here are two things that I will do next year and I strongly recommend doing in such events
  1. Don't go with the buzz.  See the detailed description beyond the buzzwords.
  2. Don't spent time with things you already know. A one hour length session can be a good introduction to unfamiliar areas, but I can't see how the can "add" in an area you are already familiar with.