August 2006

Currently, I’m spending time on installing the Yale CAS, which may be the core module of my company in the near future.

Central Authentication Service, abbreviated as CAS, is a system particular to provide authentication to other softwares. To make it clear, it just provides authentication, not including authourization, thus it just checks whether the username is matched to the password in the configured datasource.

After some investigations, I chose CAS from Yale University (Go) for a test. There are simple reasons for the choice. CAS is a freeware, and most importantly many clients are using and supporting it. Most of the clients are universities around the World.

The requirements for the configuration is not tough at all. It should be separated to server and client sides. For the server, what I’m using is listed:

Server Configuration (cas-server-3.0.5)

• Fedora Core Linux 4 / Windows XP Home Edition
• J2SE SDK 1.5.0_05 (J2SE 5 or above)
• Tomcat 5.0.28 / 5.5.12 (5.0.28+)

Client Configuration (cas-client-java-2.1.1)

Case 1:

• Windows XP Home Edition
• Tomcat 5.0.28
• J2SE SDK 1.5.0_05

Case 2:

• Windows XP Home Edition
• JBoss AS 4.0.2
• J2SE SDK 1.5.0_05

Case 3:

• Fedora Core Linux 4
• JBoss AS 4.0.2
• J2SE SDK 1.5.0_05

Case 4:

• Fedora Core Linux 4
• Tomcat 5.5.12
• J2SE SDK 1.5.0_05

Case 5:

• Fedora Core Linux 4
• Tomcat 5.0.28
• J2SE SDK 1.5.0_05

In the above cases, only Case 1 and 5 are successful to me. In fact, since all my stuff run on JVM, so operating system should not be a problem. Besides, the only common thing for the two cases is the Tomcat Container Version I used.

I was testing on three kinds of servers, Tomcat 5.0.28, Tomcat 5.5.12 and JBoss AS 4.0.2. On the latest two, I can successfully login and the browser direct me back to my original requested page. At this moment, problem occurs. See the stack trace as below:

java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1233)
at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:129)
at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:391)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:153)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:534)

After viewing the code of CASFilter on line 391, I guessed the problem comes from the CASReceipt class, where it is not serializable. May be the two servers have some logics which enforce the use of Serializable on all objects through the server, thus make it fails. After that, thanks for the proof from Scott Battaglia, and the case is logged to Yale CAS Client JIRA Instance (http://tp.its.yale.edu/jira/browse/JCC-21)

Besides that, I did also have a tricky problem and its solution, which is setting the SSL issues. Normally, we can follow the instructions of this (http://www.ja-sig.org/products/cas/server/ssl/index.html). However, for most newbie like me, we must not know when setting the self-defined certificate, we should set the common name (CN) to be the same as the server address (for example, both are localhost).

Last, but not least, I found an interesting issue. When you’re doing a form submission using POST method, and the requested action is the one need to be authenticated (need a redirect to CAS page), the requested action is at last called by GET method, instead of POST. It brings me a question, will my original parameter value exposed in this change of method. I’m still finding the answer, but it seems the application can still hide those POST parameters.

Most people use groups to act as discussion board, members or guests can post things to it as article. The readers can reply or rate or just read it. In fact, I use it a little bit differently.

In my company, it blocks the access to most web-mail client. So, I just created a personal Google Group, which it only have myself as the member. My company will not block a group since it is always resource of technical information. In this situation, Google Group just fit on what I need.

Besides, there are additional advantages on using Google Groups:

• unlimited storage (at least it doesn’t show you that it limits) - Group is unlike email, it assumes there are many members in a group, so it reserves more spaces for messages and files
• view by topic - just like a Gmail account, you can group the topics into the same thread. This kind of function is much better than traditional email account, which replies to the same message are separated to different portion of the Inbox

I’m using Fedora Core 3 Linux in my office, but it only has a very old version of Firefox 1.0.4

I want to upgrade it, but when I looked at Firefox website (http://www.getfirefox.com/), it only provides download on a zip package of Firefox. I unzipped it into my system and run, it failed with some reasons that I don’t understand.

Now, I finally have another method which helps in installing using rpm. It is from the remi repository. All I need to do is downloading two packages and run two commands. The steps are:

1. Download Firefox package firefox-1.5.0.5-1.fc4.remi.i386.rpm (19MB)
2. Download Cairo package cairo-1.0.2-1.fc4.remi.i386.rpm (273 KB)
3. running “rpm -Uvh cairo-1.0.2-1.fc4.remi.i386.rpm” using root privilege
4. running “rpm -Uvh firefox-1.5.0.5-1.fc4.remi.i386.rpm” using root privilege

After that, the upgrade is done, all the data, cache and settings will be imported to the new version. Everything is running fine to me.

Reference:

Discussion in Chinese - http://forum.moztw.org/viewtopic.php?t=14995
REMI Website in French - http://remi.collet.free.fr/index.php?2006/07/26/171-firefox-1505-1fc4remi

Thanks to messages from the classmates of AJAX Work Shop, I have gathered some very good references which can help me to better prepare my SCJP exam in the coming future.

Web Resources:

“Thinking in Java”. Although it’s not intended exactly for scjp students but there are many related topics discussed - http://forums.theajaxworkshop.com/viewtopic.php?t=148&highlight=

Chock-full of Java exams resources -
http://www.javaranch.com/

Dan Chisholm Certified Java Programmer Mock Exam -
http://www.danchisholm.net/

Books:

A Programmer’s Guide to Java Certification by Khalid A. Mughal / Rolf
W. Rasmussen
Sun Certified Programmer & Developer for Java 2 Study Guide (Exam
310-035 & 310-027) (Paperback) by Kathy Sierra, Bert Bates

Both of these books can be borrowed from Hong Kong Public Library.

My Choice:

For myself, I finally picked a Chinese book which I will enjoy reading Chinese technical book rather than an English one, which calls:

JAVA 認證 - SCJP 5.0 猛虎出閘 published by GOTOP from Taiwan

I bought this book since it contains many questions which I can focus on whether I know the SCJP level questions.

I remembered that in my previous company, they write a specialized software for doing the user authentication to all the systems. This project is so large, which requires so many resources to work on it.

Now, I used the login authentication provided by JBoss instead. Through the login-config.xml configuration, I can easily set all the things up.

Pros:

• Easy to configure, saves time
• There are many login modules. I’m using the one authenticated with Database
• The encrytion are done. I don’t need to care security myself

Cons:

• The interface is so simple
• You can use a form instead, where you can put beautiful layouts around. However, the security level will be reduced

In order to strengthen the functions and securities of JBoss login, which fits your needs, there are some more backend things to do.

For example, if you want to control the maximum login attempt, the original JBoss login cannot do this. You should implement your own logic. Here is an example.

Building a Custom JBoss Login Module - http://www.informit.com/articles/article.asp?p=389111&seqNum=7&rl=1

FireBug - an extension of Firefox, helps to debug javascript error.

In the past, it’s always annoying to check the error of javascript. We always waste so much time to debug Javascript code. There are two major reasons.

1. The javascript is so difficult to see, since not like in JAVA, which we can run in the debug mode, and stop at particular line to see the object state.
2. Our javascript is written in JSP pages, each time when we need to change a little bit of javascript or even add an alert message, the whole JSP need to be compiled again. This compile time is relatively longer than JAVA codes a lot.

Now, FireBug helps to solve those problems. It solves the first problem easily by its “Debugger” function, you can see the object reference by going through the codes line by line.

For the second problem, FireBug allows us to ad-hoc change the code contents, and see the results using the “Debugger” as well.

FireBug actually have more than that, here is a video talking about the detail functions of FireBug. Take a look!

A Guide to Javascript Debugging
http://www.digitalmediaminute.com/screencast/firebug-js/

Get FireBug:
https://addons.mozilla.org/firefox/1843/
http://www.joehewitt.com/software/firebug/

What You Should Know About AJAX Security: 24 Tutorials

Javascript Speed Tests

Surveying open-source AJAX toolkits

Ajax security basics

AJAX FAQ for the Java Developer

By using the MD5 Encoding, we can create encryted password using message digest technology. To do this, we can make use of utility provided by JBoss. See the following:

If you need to generate passwords in code, the org.jboss.security.Util class provides a static helper method that will hash a password using a given encoding.

String hashedPassword = Util.createPasswordHash("MD5",
                                                Util.BASE64_ENCODING,
                                                null,
                                                null,
                                                "password");

OpenSSL provides an alternative way to quickly generate hashed passwords.

echo -n password | openssl dgst -md5 -binary | openssl base64

In both cases, the text password should hash to “X03MO1qnZdYdgyfeuILPmQ==”. This is the value that would need to be stored in the user store.

The about org.jboss.security.Util class can be found in the jbossx.jar shipped with JBoss Application Server.

Reference:

http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html

I have just joined an online course talking about AJAX.

AJAX is a new term meaning Asychronous Javascript and XML, which we can see from the name, it is composed of at least javascript and XML, also HTML, DOM, etc. AJAX helps to send small amount of data without refreshing the whole web page upon request. As a result, it provides a better web surfing experience.

I want to learn about the actual programming technique some times ago. Let see, if you can create an application just like Gmail, which performs just like Outlook on your computer, it’s so great and powerful.

Now, I’m also looking for some class mates which can work together. Hope that in the coming 10 weeks, I can learn a lot and know some new friends in this IT World.

10-week AJAX Training Course by Sang Shin - http://www.javapassion.com/ajaxcodecamp/

AjaxWorkShop - http://www.theajaxworkshop.com/index.php/Main_Page

SurgeMail is really an excellent mail server providing services like smtp, pop, imap etc. It also includes web interface that let you configure, maintain and view the logs, which is actually a very useful tool.

It provides many versions on different platforms. I did tests on Linux and Windows platform. The one for linux is not so success, may be it’s due to my limited knowledge on Linux, so I tried Windows version.

The installation procedures are so simple, (that’s why there are no tutorials in its website, kidding:P) just a few minutes, you will finish it. After that, enter its web interface, and you will be able to add some users into it. That’s all you need to do. Enjoy using it!!

SurgeMail - http://www.netwinsite.com/surgemail/

P.S. There are acutally more than we expect as a mail server, try it out!