Sharing HTTPS, HTTP sessions in tomcat hosted web-apps

The requirement is to only serve the login page securely and once the user is authenticated (s)he should be redirected to non-secure http mode. I was struggling to do this quite some time back, and just thought of documenting about it.

The requirement

The idea I had was; “It should be quite simple”, Facebook does that, Google does that and why is it still not well documented ?, However the almost all Google search results for my queries were about simply redirecting HTTP traffic to HTTPS for certain URLs, some were using URL rewriting (mod_rewrite), and some have used server configuration via Tomcat’s server.xml.

What I really wanted to achieve is to preserve the state between the protocol switch. After some considerable amount of searching I found out this is not achievable (in a very clean manner) with tomcat or rather it is a conflict between security and state management in the servlet spec itself, hence there only exist a dirty hack (not sure if this works) to get it done, but even that hack couldn’t be applied to my scenario.

So after some thinking I came up with my own hack (I think its even dirtier 😉 ) to solve the issue; Its quite simple, and involves cookie manipulation. My approach was simply read the HTTPS cookie and set it as the HTTP cookie, what I need was one jsp which is served with HTTPS and few lines of Java code.

The solution
The solution

True enough it certainly looks like a hack, but security wise its as same as the Tomcat user group has suggested. so until the new servlet specification answers this question we have to live with this. the code of converting the cookies are as follows.

   
    Cookie[] cookies = request.getCookies();
    String sessionId;
    if (cookies != null) {
        for (Cookie c : cookies) {
            if (c.getName().equals("JSESSIONID")) {
                sessionId = c.getValue();
            }
        }
    }

    Cookie k = new Cookie("JSESSIONID", sessionId);
    k.setPath(request.getContextPath());
    response.addCookie(k);

Basically what the code does is, reading the secure cookies while inside the middle.jsp and setting them without security (k.setSecure() is not mentioned hence by default its false), and that’s about it, once this is done you can simply redirect to the HTTP page.

response.sendRedirect("http://foo.com:8080/index.jsp");  

and now the cookie which originally set via HTTPS is accessible to the HTTP requests, hence the session is shared.

Mashing up RDF data with WSO2 Mashup Server

Okey so this is the fun part that I promised to write about :D. I managed to cook up a use-case to demonstrate RDF querying and making use of the semantic data. The data that I am using for querying, is the rdf data sources available in the UK data.gov site. With some analysis I figured out that this task can be fundamentally archived using the combination of Mashup and Gadget Technologies. My choice of tools were WSO2 Mashup Server and WSO2 Gadget Server for their great flexibility and of cause for other obvious reasons :D. However the Mashup Server does not natively support RDF data retrieval, hence I had to do some work to get such functionality integrated. The great fact about the mashup server is its extensibility, the concept of host objects and the ability to write custom host objects and its pluggable nature comes handy in such cases. The high level architecture of what I am trying to achieve is as follows.

RDF data retrival with WSO2 Mashup server / WSO2 Gadget Server

To implement the above architecture with the tools at hand I created a custom host object that can be plugged to the Mashup Server. When dealing with semantic web related tasks and RDF data handling HP’s Jena java library comes in handy. With the use of Jena-ARQ (for SPARQL) api I managed to get the host object working with few lines of code.

.....
            Dataset dataSet = DatasetFactory.create(sparqlObject.rdfDataSource);
            // Create a new query form a given user query
            String queryString = sparqlObject.spaqrlQuery;
            Query query = QueryFactory.create(queryString);
            QueryExecution qe = QueryExecutionFactory.create(query, dataSet);
            ResultSet results = qe.execSelect();
.....
           resultString = ResultSetFormatter.asXMLString(results);
..... OR.....
           ByteArrayOutputStream bos = new ByteArrayOutputStream();
           ResultSetFormatter.outputAsJSON(bos, results);

With the host object in place, the next task was to create a Mashup in-order to query the rdf data with a given source (EndPoint or data source). The javascript service (Mashup) is created to serve this purpose, where the consumer can specify the RDF endpoint or the data source with the SPARQL query and retrieve the dataset in XML or JSON.

.....
function RdfDocQueryService(rdfDataSource, rdfQuery, resultType) {
   var sparqlObj = new SparqlHostObject();
   sparqlObj.rdfDataSource = rdfDataSource;
   sparqlObj.spaqrlQuery = rdfQuery;
   sparqlObj.resultType = resultType;
   return new XML(sparqlObj.getDataFromRdfSource());
}

Finally to bind everything together, lets try querying some data. My example usecase is to use the query at N2 blog to retrieve traffic monitoring points in UK roads. The query to retrieve the data set as follows,

#List the uri, latitude and longitude for road traffic monitoring points on the M5
PREFIX road:
PREFIX rdf:
PREFIX geo:
PREFIX wgs84:
PREFIX xsd:
SELECT ?point ?lat ?long WHERE {
  ?x a road:Road.
  ?x road:number "A4"^^xsd:NCName.
  ?x geo:point ?point.
  ?point wgs84:lat ?lat.
  ?point wgs84:long ?long.
}

To visualize these points I have created a gadget with the aid of Google Maps api. This gadget can be hosted in the Gadget Server, where it can dynamically retrieve traffic monitoring points for each road in the UK and display them in the map as follows.

Traffic points in A4 road, UK

Convert from HTML to XML with HTML Tidy

For few days I was involved with WSO2 Mashup Server 2.0 release documentation, giving a hand to the mashup team. Documentation is a painful task, but when comes to open source what matters mostly is documentation :D.
Last night I had to convert a bunch of html files (some Java Api Docs) to xml in-order to port into maven site. Formatting 30+ html files to xml !@#$%^&*@% :D. So I was googleing for a tool to automate the task. With few clicks here and there I found a nice article in Big Blue‘s developer works site, a tool called “Tidy“. When I tried to download and use I figure out that you can straight away apt-get the package and use. So,

sudo apt-get install tidy

and your box is now equiped with the tool, and can be accessed via the shell.

tidy -asxhtml -numeric  index.xml

but who wants to convert file by file when you have such a nice tool, so I spent few minutes in writing a tiny shell script to get the job done, the snippet is,

#!/bin/bash
for file in $(find $1 -type f -iname '*.html'); do
	myf=`echo $file | sed 's/html/xml/g'`
	tidy -asxhtml -numeric  $myf
done

All looked good, worked fine. However in my Api Docs I had, had few special tags, custom to our Mashup Apis (<imconfig>, <yahoo>, <mail:config>). Tidy gave error for these files since the tags are not recognized.

In such a case you can train Tidy for new tags, by adding few lines to the tidy configuration file. (/etc/tidy.config – You can also give your own config file at the prompt)

new-pre-tags: imconfig, yahoo, msn, aim, icq, jabber, username, password

There are whole bunch of tweeks you can do with tidy, [1], [2] and [3] are some useful links that you can read up when using the tool.

[1] : http://www.ibm.com/developerworks/library/x-tiptidy.html
[2] : http://tidy.sourceforge.net/
[3] : http://tidy.sourceforge.net/docs/tidy_man.html

Writing custom queries to retrieve data from WSO2 Governance Registry

WSO2 Governance Registry is a big part of wso2 governance product stack. Even though it is primarily aimed at managing, versioning, rating, and commenting on SOA artifacts it can also be used as a simple data store. with the 3.0 version the G-Reg gave support to custom query execution from the client side. This feature helps immensely when you use the registry for non-standard tasks. For me I had to do some pagination work for the comments that belongs to a particular resource, hence my approach was to write few custom quires to get the job done. The code is as follows.

	/**
	 * Returns a chunk of comments
	 * 
	 * @param resPath	Path to the comment
	 * @param start		The beginning index
	 * @param size		Size of the chunk
	 * @return			an array of comments
	 */
 public Comment[] getCommentSet(String resPath, int start, int size) {
		Registry registry = null;
		try {
			registry = ; // get an instance of the registry 

			Resource comQuery = registry.newResource();

                        // The Sql Statement
			String sql = "SELECT REG_COMMENT_ID FROM REG_RESOURCE_COMMENT RC, REG_RESOURCE R, REG_PATH P WHERE "
					+ "RC.REG_VERSION=R.REG_VERSION AND "
					+ "R.REG_NAME=? AND "
					+ "P.REG_PATH_VALUE=? AND "
					+ "P.REG_PATH_ID=R.REG_PATH_ID LIMIT ?, ?";

			// Set SQL statement as the resource content
                        comQuery.setContent(sql);

                       // Setting the media type and properties
			comQuery.setMediaType(RegistryConstants.SQL_QUERY_MEDIA_TYPE);
			comQuery.addProperty(RegistryConstants.RESULT_TYPE_PROPERTY_NAME, RegistryConstants.COMMENTS_RESULT_TYPE);

			registry.put("system/myQueries/query", comQuery);
                 String resourceName = "testResource";
                 String pathToResource = "/system/myResources"

			Map params = new HashMap();

                        //Setting the parameters
			params.put("1", resourceName);
			params.put("2", pathToResource);
			params.put("3", start);
			params.put("4", size);

                       // Executing the SQL statement
			Collection qResults = registry.executeQuery("system/myQueries/query", params);

			String[] qPaths = (String[]) qResults.getContent();

			Comment[] comments = new Comment[qPaths.length];
                        // Loading the comment data to comment object array 
			for (int i = 0; i < qPaths.length; i++) {
				if (registry.resourceExists(qPaths[i])) {
					comments[i] = (Comment) registry.get(qPaths[i]);
				}
			}

			return comments;

		} catch (Exception e) {
			String errorMsg = "Backend server error - could not get comment set";
			log.error(new MyTestException(errorMsg, e));
			return null;
		}

	}

Yeah simple as that you get your resources set without much effort. A big thank goes to Dimuthu

YUI file upload with jsp backend

For last two weeks I was working on some user interface logic and happened to use Yahoo UI library (YUI). The task was to upload an image using Ajax. Since I was new to YUI, I was looking here and there over the net for some references. There were some good ones but thats for PHP back-ends, but mine was a jsp back-end and i didn’t know how to read the object thrown out from the YUI side.

with some more digging I came across nice file handling library in Apache commons (Commons File Upload) and took use of it to do the task. the code is as follows.



YUI File UploadS
http://[PATH_TO_YUI]/yahoo-dom-event/yahoo-dom-event.js
http://[PATH_TO_YUI]/connection/connection-min.js

function init(){
  var onUploadButtonClick = function(e){
    //the second argument of setForm is crucial,
    //which tells Connection Manager this is a file upload form
    YAHOO.util.Connect.setForm('testForm', true);

    var uploadHandler = {
      upload: function(o) {
        alert(o.responseText);
      }
    };
  YAHOO.util.Connect.asyncRequest('POST', 'upload.php', uploadHandler);
  };
  YAHOO.util.Event.on('uploadButton', 'click', onUploadButtonClick);
}

YAHOO.util.Event.on(window, 'load', init);














I took the above code segment directly from a YUI file upload tutorial hence the credit goes to the author. The jsp back-end using apache commons file upload is as follows.
Continue reading YUI file upload with jsp backend

JSF, Spring together with apache CXF

Good tutorials and resources on Apache CXF How Tos are not easy to digg. I had to spend hours searching and reading to make my small application up and running, Integrating Spring with JSF was pretty straightforward, but when it comes to integrating those two with JSF i got stuck.

So this post is about exposing a web service as a web project using JSF front end / Spring backed and CXF for service invocation

before starting I should mention few valuable resource around the net.

The web service u used was the publicly available spelling checker which is used in the netbeans tutorial.

The Step by step guide as follows >>

Step 1 :

Create the classes from the WSDL you can use netbeans for this task or WSDL2JAVA command (wsdl2java [URL]) in the shell.

Continue reading JSF, Spring together with apache CXF

English – Sinhala Unicode Translator (ඉංග්‍රිසි – සිංහල භාෂා පරිවර්තකය)

Lat few days i was stuck with some web dev work for archmage. For the 1st time i had to localize a website in sinhala. Hence i had a longing desire to do something on sinhala i was glad. (Also getting payed for it 🙂 definitely a chance. ) so yeah the site is www.technology.lk still under construction. The site back-end is powered by Joomla CMS and the famous Ecom component virtuemart. I had to prepare a language pack (Sinhala) for virtuemart, not a hard task, yet translating about 200+ words to sinhala is a boring task, so i was googling for an English-Sinhala Translator tool, Found Madura Dictionary. Unfortunately the sinhala words given in madura is not in Unicode. so it was impossible to copy and paste in my language pack php script.

After having a chat with my dear friend sanda, he suggested a FireFox plug-in which was developed by the University of Colombo (UCSC) which does a similar task. the plug-in came with a sqlite database which consisted nearly 50,000 English to sinhala translation words, and in Unicode. I was thrilled to see this. So for my personal satisfaction I just put to gather a small translator tool where you can type an English word and it gives some Sinhala suggestions (in Unicode).

En-Si Trans

Made it in Java, also wanted to test this new swing look and feel called Substance which did work smoothly. so yeah you can download

this tool and use it, modify it or what ever 🙂 .

have fun,

p.s. : I will publish the Virtuemart Sinhala language pack in my next post.

Select Many Problem : JSF

After few days, got some time to write a post… well as i promised in my earlier post.. I thought of writing about the Annoying problem anybody will face while using selectMany component in JSF.

At 1st with out any experience what any one would do is writing both assessor and mutator methods to return and set A LIST of selected objects. some thing like

private List<myClass> selectList;

public List<myClass> getSelectList() {
return selectList;
}

public void setSelectList(List<myClass> selectList) {
this.selectList = selectList;
}

Even though this is the straight forward way, For some reason JSF implementation does not support it. In many places over the NET and in JSF forums, people have advised to use String Arrays, Saying you cannot use Java Collections in this scenario.

But Use of String Arrays are very much annoying and makes your work very messy. After some testing and trying I found this work around to take the selected objects as it is, not just the label string, Its pretty simple. Instead of using String arrays, Just use an array of your own class. Something like this

private myClass[] selectList;

public myClass[] getSelectList() {
return selectList;
}

public void setSelectList(myClass[] selectList) {
this.selectList = selectList;
}

Of-cause you have to use a converter in this case but not difference out there its just a normal converter for your class. So hope this tip will help

cheers !!

“Validation Error: Value is not valid” famous validation error, when using custom converters in JSF.

This is one problem i faced when i worked with select-many and select-one menus in Java Server Faces. For any one who have worked with JSF knows that you have to use custom converters in order to populate select-many and select-on menus with ur own data types.

if i elaborate on this a little bit, Select menus are not just there to show simple value-label pairs. you can give directly an object to its value and one of its fields as the label. for an example,

public ArrayList<SelectItem> getLandSelectList() {
if (landSelectList != null) {
return landSelectList;
}
    landSelectList = new ArrayList<SelectItem>();
List<Land> landList = this.getLandList();
for (int i = 0; i < landList.size(); i++) {
        landSelectList.add(new SelectItem(landList.get(i), landList.get(i)
.getLandsName_DE()));
}
return landSelectList;
}

The returning Select list can be taken to a select one or a select many list box like..

<h:selectOneMenu id=”listBoxLand
value=”#{userManagerBean.land}” required=”true”>
<f:selectItems value=”#{userManagerBean.landSelectList}” />
</h:selectOneMenu>
<h:message for=”listBoxLand” />

This component will set the selected land object directly to the backing bean. If you used simple value(some text or the id) – label pair. you should again query for the object from the selected id and save in the backing bean. but in this way that extra trouble will be handled by JSF.

The problem is if you do it just like this with out anything else.. you will get a wired validation error saying “Validation Error: Value is not valid“. This is where you start googling and debugging. Well after some hours of googling..(couldn’t do much debugging because this is a exception thrown by JSF framework) and reading about 10 to 20 forums i found out that the object which is loaded and the object wich was selected will be compared when setting to the backing bean. So if your object’s Class has not overridden the equals method this error message is shown.

So what you have to do is. if you are using your own data Objects for the select menus or in that case for any other JSF tag where you will use converters. You have to override the Equals method. Probably do the comparison with the Id, or with some unique value in that data Object. That’s it.. The problem solved. In my case the equals methods looks like

// overridden equals method
public boolean equals(Object obj) {
if (!(obj instanceof Land)) {
return false;
}
Land land = (Land) obj;

return (this.id == land.id);

}

Yeah hope this will be useful to some one.. !! I will write another post on how to use Java Collections when working with Select-Many menus.

Joomla Hack! Automated Joomla user registration via JSF form

Well this post is some what continuation of my last post.
What is the use of single sign on if you have to register in two different sites ? yeah this is the solution for that… What i wanted to do is, when a user registers in my java web application i wanted to register the same user in the PHP app. Since these two applications have different user data-tables (well in my project i cannot merge these tables or use one database. if that is your case just ignore this post.)

When a new user registers in my JAVA web app am taking that user form data and insert those to the joomla database. 🙂 (Yup I know.. What is there to blog about this ?)
But what went wrong is joomla use some extra data from 2 other different tables other than jos_users (in joomla database).

those tables are jos_core_acl_aro and jos_core_acl_groups_aro_map so when you are inserting the data to the jos_users table.. also save the data in to the other two tables as well.
there are foreign key constrains over these tables. so

1- Insert the user to the jos_users
2– take the user id from a select query and insert that user to the jos_core_acl_aro
3- takes jos_core_acl_aro id from a select query and insert it in to the jos_core_acl_groups_aro_map

take a look at the three tables then you will realize what you should do.

The other task is password encryption. well Joomla 1.5 uses md5 encryption mechanism to hash the passwords. When a password is created, it is hashed with a 32 character salt that is appended to the end of the password string. The password is stored as {TOTAL HASH}:{ORIGINAL SALT}.

you can see this method at plugins/authentication/joomla.php lines 80-116.

So what you have to do is take your password and make a {TOTAL HASH}:{ORIGINAL SALT} from it and save the created string. I found this information also in a discussion forum. which had shown a java class to do this task.. so yeah it was quite useful..

so that’s all about behind the seen registration 🙂

Have fun !