 |
Search |
 |
||||||||||||
|
wvreeven's BlogApache2 LDAP authorization for Subversion with OpenDSPosted by wvreeven on March 15, 2010 at 8:30 AM PDT
There are several ways to enable user authentication for web based applications, like .htaccess files, plain tekst files, databases, LDAP, etc. They all have their pros and cons. In case a central, flexible solution is needed, either a database or LDAP solution can be used. I chose for an LDAP solution since it can be reused by many web and application servers and the applications that run on them while many LDAP solutions provide excellent tooling and easy configuration. Since Yenlo strongly focuses on GlassFish and other Sun tools, I chose OpenDS to authenticate against.The idea is to create a bunch of users and put them into one or more groups. Each group gets access to one specific Subversion repository and every user that needs access to a certain subversion repositoy needs to be in the corresponding group. This blog describes the basic steps I took to get Basic HTTP authentication for Subversion using Apache2 and OpenDS. Setting up the serverThe server is running on Debian Etch, for which most of the required software is available via the Debian package repository. The packages I installed are apache2 apache2-mpm-prefork libapache2-svn subversion sun-java6-bin sun-java6-jdk sun-java6-jre Apart form these packages I downloaded and installed the OpenDS 2.2 zip file from the OpenDS homepage. For this purpose I created a user and a group called “opends” and the directory /usr/local/opends which I gave both ownership and group “opends”. Next I logged in as user opends and extracted the zip file into that directory. Finally, as root, I created a start and stop script and used the update-rc.d script to make sure OpenDS is automatically started and stopped when the server is started and stopped. Setting up SubversionLet’s suppose that our organisation has decided to create a Subversion repository for each development project that we do. This means that we would get a directory structure like this, with the leaves being the root directories of each repository:
/usr/share/subversion
/repository1
/repository2
The repositories were created as root using these commands in the /usr/share/subversion directory # svnadmin create repository1 # svnadmin create repository2 That’s all the configuration that was done to the Subversion repositories. Configuring OpenDSFirst, a basic setup of OpenDS needed to be done using the command $ /usr/local/opends/OpenDS-2.2.0/bin/setup For more info about this, see Setting Up the Directory Server. Please note that if you are not running OpenDS as root user, it will listen on port 1389. The next step was to configure OpenDS so it contains a few users and groups. The main configuration tool for OpenDS is called control-panel and, in my case, it can be started as user “opends” by issuing this command: $ /usr/local/opends/OpenDS-2.2.0/bin/control-panel With this tool, among other things, you can manage the entries in the directory. For my purpose I created the next layout
base dn (dc=yenlo,dc=nl)
organisation (o=yenlo)
organisational unit (ou=devel)
user (uid=wouter1, password = wouter1)
user (uid=wouter2, password = wouter2)
user (uid=wouter3, password = wouter3)
group (cn=group1, uniqueMember=wouter1,wouter2)
group (cn=group2, uniqueMember=wouter2,wouter3)
which is a very simple layout but sufficient for now. Note that I created two Subversion repositories and therefore two LDAP groups, one for each Subversion repository. Setting up Apache2 to get access to the Subversion repositoriesFirst I configured Apache2 so the two repositories were accessible to anyone using e.g. a web browser. After libapache2-svn is installed, the module should be enabled in the Apache2 configuration files automatically. To verify this, check the /etc/apache2/mods-enabled/ directory and make sure these symbolic links exist dav.load -> ../mods-available/dav.load dav_svn.conf -> ../mods-available/dav_svn.conf dav_svn.load -> ../mods-available/dav_svn.load If the first link is missing, create it as root using # a2enmod dav If the second and third are missing, create it as root using # a2enmod dav_svn To make sure the modules are loaded by Apache2, restart the server as root using # /etc/init.d/apache2 restart Now some modifications need to be made to the dav_svn configuration file /etc/apache2/mods-available/dav_svn.conf The idea is that there are two Subversion repositories that need to be configured individually. So, these two entries need to be put in the above mentioned configuration file <Location /svn/repository1> DAV svn SVNPath /usr/share/subversion/repository1 SVNListParentPath On SVNAutoversioning On SVNReposName “Repository1 Subversion Repository” </Location> <Location /svn/repository2> DAV svn SVNPath /usr/share/subversion/repository2 SVNListParentPath On SVNAutoversioning On SVNReposName “Repository2 Subversion Repository” </Location> Now, if you point your browser to either http://<host>/svn/repository1 or http://<host>/svn/repository2 you should see the root of your repository. Adding LDAP support using OpenDSIn order to use LDAP atuentication with Apache2, these two entries should be present in /etc/apache2/mods-enabled: authnz_ldap.load -> ../mods-available/authnz_ldap.load ldap.load -> ../mods-available/ldap.load If they aren’t present, you can enable them as root with these commands # a2enmod authnz_ldap # a2enmod ldap # /etc/init.d/apache2 restart Now, each <Location> entry in /etc/apache2/mods-available/dav_svn.conf should be extended with these lines in order to get LDAP authentication working with OpenDS. Please note that you should pay attention to the group you assign to each subversion repository location. I am only showing the configuration addition for repository1 and leave it as an excercise to you to setup the second repository configuration. Also please note you make sure the correct password for the Directory Manager is provided. For more info about these configuration settings, please consult the OpenDS WIKI page on Apache Web Server. AuthType Basic AuthName “Repository1 Subversion Repository” AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL ldap://localhost:1389/dc=yenlo,dc=nl?uid AuthLDAPBindDN “cn=Directory Manager” AuthLDAPBindPassword mypassword AuthLDAPGroupAttribute uniqueMember AuthLDAPGroupAttributeIsDN on Require ldap-group cn=repository1,ou=devel,o=yenlo,dc=yenlo,dc=nl Issue a final # /etc/init.d/apache2 restart and you should be prompted for a username and password when you try to access either repository. Using the correct uid and password combination should grant you access to the repository. Next steptsThe authentication mechanism we chose, Basic autentication, posts usernames and passwords in plain text, which potentially could be harmful in case someone sniffes the connection. I would strongly recommend to setup SSL based connections. Moreover, this blog post only shows how to secure one repository layout using LDAP. Both Subversion and Apache are sufficiently flexible that other layouts are possible. Those layouts most likely require tweaking of the Apache2 configuration options. Finally, I am not an LDAP expert so the directory structure I chose in OpenDS most likely can be much improved. However, following the steps in this article should get you on your way to using OpenDS incombination with Apache2.
This entry was originally posted on the Yenlo B.V. weblog. »
Comments
Comments are listed in date ascending order (oldest first)
Getting started with PrimeFaces on GlassFish v3Posted by wvreeven on January 7, 2010 at 5:35 AM PST
According to the PrimeFaces website, "PrimeFaces is an open source component suite for Java Server Faces featuring 70+ Ajax powered rich set of JSF components. Additional TouchFaces module features a UI kit for developing mobile web applications.". Since it is an OpenSource JSF implementation that is very close to releasing JSF 2.0 compliant components, I figured it was time to try it out on GlassFish v3. A very easy and powerful way of creating Java EE 6 compliant applications, is to use NetBeans 6.8, which comes with great GlassFish v3 and Maven support. The first thing to do is to create a new Maven Web Application. The wizard that helps you create it allows you to specify the Java EE version, which in this case should be 6. In order to make sure the PrimeFaces libraries are included in your project, add the next dependency to your pom.xml file <dependency> <groupId>org.primefaces</groupId> <artifactId>primefaces</artifactId> <version>2.0.0.RC</version> </dependency> Since the PrimeFaces jars are hosted on the PrimeFaces Maven repository, you'll need to add the repository as well: <repository> <id>prime-repo</id> <name>Prime Technology Maven Repository</name> <url>http://repository.prime.com.tr/</url> <layout>default</layout> </repository> PrimeFaces makes use of a servlet to get hold of resources, like css and JavaScript. Therefore, you need to register the Resource Servlet in web.xml like this <servlet> <servlet-name>Resource Servlet</servlet-name> <servlet-class>org.primefaces.resource.ResourceServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>Resource Servlet</servlet-name> <url-pattern>/primefaces_resource/*</url-pattern> </servlet-mapping> A split paneA simple index.xhtml file with a split pane may then look like this
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:p="http://primefaces.prime.com.tr/ui">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>PrimeFaces Test</title>
<p:resources />
</head>
<body>
<p>
<p:layout style="width:400px;height:200px;">
<p:layoutUnit position="west" size="100">Left Pane</p:layoutUnit>
<p:layoutUnit position="center">Right Pane</p:layoutUnit>
</p:layout>
</p>
</body>
</html>
which looks like this
The left bar is the one being dragged by the mouse. File uploadAnother nice PrimeFaces component is the fileUpload component. It supports single and multiple file uploads. To be able to use the fileUpload component, a few Apache Commons dependencies need to be added: <dependency> <groupId>commons-fileupload</groupId> <artifactId>commons-fileupload</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-io</artifactId> <version>1.3.2</version> </dependency> Next, a filter needs to be added to web.xml and the JavaServer Faces state saving method should be set to server. So, add these lines to web.xml <context-param> <param-name>javax.faces.PROJECT_STAGE</param-name> <param-value>Development</param-value> </context-param> <context-param> <param-name>javax.faces.STATE_SAVING_METHOD</param-name> <param-value>server</param-value> </context-param> <filter> <filter-name>PrimeFaces FileUpload Filter</filter-name> <filter-class>org.primefaces.webapp.filter.FileUploadFilter</filter-class> <init-param> <param-name>thresholdSize</param-name> <param-value>51200</param-value> </init-param> <init-param> <param-name>uploadDirectory</param-name> <param-value>/tmp</param-value> </init-param> </filter> <filter-mapping> <filter-name>PrimeFaces FileUpload Filter</filter-name> <servlet-name>Faces Servlet</servlet-name> </filter-mapping> Then a JSF ManagedBean is needed to handle the file uploads. A very simple one, that doesn't do anything with the uploaded files at all, may look like this
@ManagedBean(name = "fileUploadController")
@RequestScoped
public class FileUploadController implements FileUploadListener {
@Override
public void processFileUpload(FileUploadEvent event) throws AbortProcessingException {
System.out.println("Uploaded: " + event.getFile().getFileName());
FacesMessage msg = new FacesMessage("Succesful", event.getFile().getFileName() + " is uploaded.");
FacesContext.getCurrentInstance().addMessage(null, msg);
}
}
Finally, change index.xhtml to this
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:p="http://primefaces.prime.com.tr/ui">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>PrimeFaces Test</title>
<p:resources />
</head>
<body>
<p>
<h:form id="form" enctype="multipart/form-data" prependId="false">
<p:growl id="messages" />
<p:layout style="width:400px;height:200px;">
<p:layoutUnit position="west" size="100">Left Pane</p:layoutUnit>
<p:layoutUnit position="center">Right Pane</p:layoutUnit>
</p:layout>
<p:fileUpload fileUploadListener="#{fileUploadController.processFileUpload}" id="documentToUpload"
allowTypes="*.jpg;*.png;*.gif;" description="Images" update="messages"/>
</h:form>
</p>
</body>
</html>
Redeploy and the result looks like this
ConclusionIt is quite easy to get started with PrimeFaces using Maven and GlassFish. Please bear in mind that the fileUpload component is quite picky concerning the order in which the filters are specified in web.xml in case there is more than one. Please see this forum thread for more info. In case you're having troubles following the instructions in this blog, here is my NetBeans project. Since it is a Maven project you should be able to open it in Eclipse or any other IDE. This entry was originally posted on the AMIS Technology Blog.
»
Related Topics >>
Ajax Blogs Glassfish J2EE Java Enterprise NetBeans Netbeans Open Source Web Applications Comments
Comments are listed in date ascending order (oldest first)
You need to install the
Submitted by wvreeven on Mon, 2010-01-11 05:00.
You need to install the GlassFish v3 plugin and GlassFish v3 to be able to use JSF 2.0 in NetBeans 6.71. Even better: please download NetBeans 6.8 and use that :-)
HTH, Wouter Problems right out of the gate...
Submitted by krasman on Sun, 2010-01-17 17:36.
Hi Wouter,
A few things when trying to follow this tutorial.
1) Creating a project out of Netbeans 6.8 using the Maven Web Application archetype produces no WEB-INF directory or a containing web.xml file. What web.xml file am I to update?
2) Your instructions for updating mappings in the web.xml (comparing to your completed project) would seem to be incomplete.
3) Finally, even after grabbing your project code and deploying it (no compile issues) server is complaining about a 404 issue.
I'm using NB 6.8 with released GF 3 domain.
Java EE 6 and GlassFish 3.0 released!Posted by wvreeven on January 6, 2010 at 12:01 AM PST
In the past few month several Java EE 6 related JSRs (Java Specification Requests) have been finalized. The final ballot for them ended on November 30 and all were approved. Today, December 10, 2009, Java EE 6 and GlassFish v3, THE reference implementation of Java EE6, are released. Four and a half year after the release of Java EE 5 we enter the next Java EE era. GlassFish v3 is the first application server that fully supports all Java EE 6 technologies. The list of supported technologies includes, but is not limited, by
GlassFish v3 can be downloaded in two flavours. The first one contains all of the Java EE 6 technologies, the second one contains all technologies that are specified in the Java EE 6 Web Profile specification.
If there was only one GlassFish v3/Java EE 6 thing I'd like to mention then it would be that Java EE has become more powerful than ever before. Now we can do with annotations instead of XML configuration, we can do without ear files because war files are sufficient, Ajax has been standardized, and asynchronous calls are supported all the way from the client almost down to the database. And now you can do all that with GlassFish v3. A reason to celebrate? You bet it is!
For those wanting to know all there is to know about GlassFish v3, please attend the Virtual Conference on December 15. For more info, see the conference flyer. You may also want to visit the GlassFish Community Home-page and the GlassFish Enterprise Home-page (should be live any moment now). Finally, you can download the Java EE 6 SDK and find even more info at the Java EE 6 homepage. This blog entry was originally posted on the AMIS Technology Blog. »
Related Topics >>
Ajax Blogs EJB Glassfish J2EE Java Enterprise Open Source Servlets Tools Web Applications Comments
Comments are listed in date ascending order (oldest first)
Wrong date
Submitted by wvreeven on Wed, 2010-01-06 02:02.
For some reason this entry was set back to Draft. I just republished it and the blog date was set to today, January 6, 2010. Feels kind of silly :-) Feels kind of silly Talking
Submitted by dxxvi on Thu, 2010-01-07 08:35.
Feels kind of silly
Talking about silliness :), are web beans and cdi the same? and why is there no version for web beans, cdi and bean validation?
Difference between WebBeans and CDI
Submitted by wvreeven on Thu, 2010-01-07 08:40.
No, WebBeans and CDI are not the same. CDI is a very simple dependency injection mechanism, while WebBeans extends CDI and adds more injection annotations and more scopes (among other things). They don't have a version, I guess, because first releases of specs hardly ever have a version. |
||||||||||||
|
|||||||||||||
|
Exception on startup