Browsed by
Category: Java

Apache Shiro part 2 – securing a JSF Java EE 7 application

Apache Shiro part 2 – securing a JSF Java EE 7 application

apache shiro logo

In the first part I described why I chose Apache Shiro as an Authentication framework. In this part I will describe the simplest working solution to secure a Java EE7 application with JSF/Primefaces frontend. To be honest I wont use much of Primefaces in this sample but the application for which I did this research uses it so I added the dependency here and added an Primefaces component to this demo project.

Bootstrapping

I created an empty Java EE project via maven and added the needed Shiro dependencies as well as the Primefaces dependency to

the pom file.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>de.are_you_ready</groupId>
    <artifactId>shirotest</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>war</packaging>

    <properties>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
        <failOnMissingWebXml>false</failOnMissingWebXml>

        <apache-shiro.version>1.3.2</apache-shiro.version>
        <primefaces.version>6.0</primefaces.version>
        <junit.version>4.12</junit.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>javax</groupId>
            <artifactId>javaee-api</artifactId>
            <version>7.0</version>
            <scope>provided</scope>
        </dependency>

        <!-- Security -->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>${apache-shiro.version}</version>
        </dependency>

        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-web</artifactId>
            <version>${apache-shiro.version}</version>
        </dependency>

        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-ehcache</artifactId>
            <version>${apache-shiro.version}</version>
        </dependency>

        <!-- PrimeFaces -->
        <dependency>
            <groupId>org.primefaces</groupId>
            <artifactId>primefaces</artifactId>
            <version>${primefaces.version}</version>
        </dependency>

        <!-- Testing -->
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>${junit.version}</version>
            <scope>test</scope>
        </dependency>

        <!-- Logging -->
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17</version>
        </dependency>
    </dependencies>

    <build>
        <finalName>shirotest</finalName>
    </build>
</project>

Read More Read More

Apache Shiro part 1 – selecting a Java security framework

Apache Shiro part 1 – selecting a Java security framework

apache sharp logo
What is Shiro?
Apache Shiro is an open source Java security framework which makes authentication, authorization and cryptography very easy to use with a simple and small configuration. It is very portable because of its independence from the used application frameworks and covers all kinds of scenarios from console over desktop client to web applications.

Why Shiro?
I searched for a security solution (authorization and authentication) which I plan to reuse in multiple “pet projects” without having to think about the same problem over and over again. My actual project is a web project based on Java EE 7 and has at the moment a JSF/Primefaces frontend. I plan to extend the application with a REST interface and an alternative UI technology for personal testing/learning and research purposes. Maybe there will also be an iOS app later on which should use the then existent REST endpoint. With that in mind I need a flexible framework to support securing JAX-RS endpoints as well as my actual JSF UI.
I previously had some experience with the Java EE standard solution JAAS as well as the JBoss project Picketlink. Additional to that I’ve worked in projects using Spring Security (but had not much to do with it) which seems to be the industry standard nowadays but besides that I did a little research about possible alternatives I wasn’t aware of and came up with Apache Shiro and Keycloak.
This four/five tools and frameworks were the solutions I considered and researched which would be the best fit for me.

Read More Read More

Don’t rely on Java finalizers

Don’t rely on Java finalizers

java-logo
Recently I was facing a problem where a Java application should persist a part of its state when it was closed. This was already implemented but seemed to work just unreliably and it was not clearly reproducible when it worked properly and when it failed. After analyzing the existing source code I figured out that finalizers were used to implement the functionality by delegating the call of the persist logic to the garbage collector. This seems like a very good idea at first but lacks in reliability. As a short note up front don’t use finalizers for important things.

A finalizer is a method which represents the opposite of a constructor. It is a method with the purpose to do some cleanup work, free up some memory and so on which gets called by the garbage collector before the object gets collected. A simple example would look like this
[java]
protected void finalize() {
logger.info(“start important work before GC”);
fooBar.persist(this.getDataMap());
}
[/java]

Read More Read More

Java Forum Nord 2016

Java Forum Nord 2016

Java Forum Nord
Last week (October 20th) I attended the second “Java Forum Nord” in Hannover. The Java Forum is now in its second year but is the evolution of an older and smaller conference in Göttingen (Source Talk Tage). The relocation and renaming of the conference was necessary because it wasn’t possible to attract an audience huge enough to get top speakers to Göttingen. To make the transfer possible the JUG Deutschland which is located in Göttingen and hosted the Source Talk cooperates now with the JUG Bremen, JUG Hamburg, JUG Hessen (Kassel), JUG Ostfalen, SUN User Group Deutschland and the local JUG Hannover.
As a result the conference professionalized very quickly and the audience grew by a huge number. After the first edition in 2015 took place in a small Hotel at the Hannover main train station and was quickly sold out they relocated to the bigger Hotel Dormero in Hannover which had space for 400 participants and was sold out, too. After I would consider last year as a transition year I had this year the feeling to be on a very serious one day conference which had definitively left the amateur status. What makes this conference so special is that it is organized by the JUGs (Java User Groups) and aims for no profit which makes it possible to give very cheap tickets away.

Read More Read More

Removing Excel rows with POI

Removing Excel rows with POI

https://poi.apache.org
https://poi.apache.org

When generating Excel Sheets it is sometimes necessary to remove rows which match a given criteria afterwards. The first idea for this would be to use removeRow(Row row) but this has the problem that it deletes all the row contents and leaves the empty row in your sheet which is probably not what you want. To remove the rows as a whole the shiftRows(int startRow, int endRow, int n) is needed.
Lets say we have a xls file with column A being the title which is always filled but we want to remove every row in which the data column B is not filled. For this case the following snippet would be appropriate

Read More Read More