Wednesday, January 23, 2008

Intro to JBoss Seam Security, Part 1 - Authentication

Recently, I mentioned how I had just started working with the JBoss Seam application framework. The more I have worked with it, the more impressed I have become at how it makes things that are typically difficult using standard Java EE much simpler and more streamlined. One of the areas in which Seam really shines is security. While Java EE defines JAAS for use in securing applications, it is left up to the developer to ingrain this security down to each facet of the application. With Seam, it is easy to define security constraints at all levels of an application, simply through using annotations. In addition, the complexity of authenticating users with JAAS is reduced through Seam's authenticator mechanism. This article will give an introduction to Seam authentication, and show how to write your own custom authenticator.

Seam's authenticator construct hides the complexity of managing a JAAS configuration, and allows you to implement authentication how you see fit. Perhaps your organization relies on a simple username/password combination for authenticating user accounts in LDAP. Maybe you use a SecureID token, and the accounts are stored in a SQL database. By writing your own authenticator class, or making use of publicly available ones, you can control the way authentication is done in your organization.

To get started with your own authenticator, you must first declare it in the components.xml file. This file manages much of the configuration for Seam. To add your authenticator, you simply define the class and method that will be used for authentication. For example:

<components xmlns="http://jboss.com/products/seam/components"
xmlns:core="http://jboss.com/products/seam/core"
xmlns:security="http://jboss.com/products/seam/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://jboss.com/products/seam/components http://jboss.com/products/seam/components-2.0.xsd
http://jboss.com/products/seam/security http://jboss.com/products/seam/security-2.0.xsd">

<security:identity method="#{authenticator.authenticate}">

</components>


You'll notice the #{} syntax used here. This is JBoss' expression language pointing to a class with the instance name of authenticator, where the authenticate method will be used to login a user. Now that we have declared an authenticator to Seam, we're ready to implement it. Our example will be quite simple. If the user enters a username of admin, with a password of password, they will be authenticated successfully. In addition, we will assign them to the role of admin, so that they can perform some sort of administrative function within our application. The implementation of our authenticator would look like this:

@Name("authenticator")
public class Authenticator {

private static final String valid_user = "admin";
private static final String valid_password = "password";

public boolean authenticate() {
String username = Identity.instance().getUsername();
String password = Identity.instance().getPassword();

if((username.equals(valid_user)) && (password.equals(valid_password))) {
return true;
}

return false;
}

}
Our example is rather trivial. However, it gives a slight glimpse into how Seam authentication works. The first thing that you should notice is the @Name annotation. This annotation prompts Seam to create a bean with the name specified in the annotation. In this case, the name is authenticator, which is how we arrive at the value specified in our components.xml file. Our authenticate method will return true if authentication was successful, and false otherwise.

So how does the authenticate method get the username and password? This is done via the Identity class. The standard Identity class that comes with Seam is quite extensive, but basically provides support for a username/password combination. It is possible to subclass Identity, however, to support whatever authentication mechanisms you may need. You could implement code to support getting a SecureID token value from a user, or a SPNEGO ticket. All that is needed to make use of the Identity subclass is to add the following annotations to your implementation:

@Name("org.jboss.seam.security.identity")
@Scope(SESSION)
@Install(precedence = APPLICATION)
@BypassInterceptors
@Startup
public class MyCustomIdentity extends Identity
{ ... }

Your custom Identity subclass is now ready for use.

Now that we have our authentication classes in place, we are ready to create our login form. This is trivial to create using Seam, particularly because of Seam's use of the JBoss expression language in forms. Our login form fragment would look like the following:


<div>
<h:outputlabel for="name" value="Username">
<h:inputtext id="name" value="#{identity.username}">
</div>

<div>
<h:outputlabel for="password" value="Password">
<h:inputsecret id="password" value="#{identity.password}">
</div>

<div>
<h:commandbutton value="Login" action="#{identity.login}">
</div>


That's all there is to it. You are now ready to authenticate users via your own custom login form and authenticator. While this is an introduction to the simplified form of authentication in Seam, it should give you a good foundation to learn and explore on your own.

Next time, we will look at how authentication is used throughout an application, not just at the entry point.

Thursday, January 17, 2008

JBoss Seam - J2EE Development Framework

I know I have repeatedly said that an update to OdyssiPKI is forthcoming. But, I keep getting sidetracked by interesting technologies that I just have to check out. With this update of OdyssiPKI, I decided to make it a bit more robust, and to spend more time focusing on the overall design and engineering of the application. With that came the decision to make use of EJB's, particularly EJB3. In addition, I decided to try moving away from Struts and look into Java Server Faces (JSF) for the main user interface. Of course, all these changes mean that there is a lot more that I need to get familiar with before the next release is ready.

The primary motivation for such a radical change in the project design was to make OdyssiPKI a more robust application. Currently, the user interface is very lacking. It is a simple Struts interface, and is generally not very user-friendly. In addition, the backend components of the application are very simple. Transactions, scalability, and enhanced security were not a primary focus of the first release. The combination of EJB3 and JSF makes correcting these issues much easier. The security provided by EJB3 annotations means more fine-grained control. In addition, by utilizing EJBs for the business logic, the scalability of the application is enhanced. Further, anyone who has looked at Woodstock, RichFaces, or MyFaces, and it's spinoff projects has seen what a rich interface JSF is able to provide.

The downside to all of this change? Overhead. EJB3 and JSF add a lot of overhead to the application structure. Annotations, XML files, deployment descriptors, etc. All of this creates a pretty steep learning curve, and means that development takes even longer. It is frustrating, as a developer, to have to spend so much time writing XML files when I'd rather be writing code. This is why I was very intrigued to discover JBoss Seam. Since I was already planning to develop and deploy using JBoss, it seemed like it might be worth investigating this new application framework.

JBoss Seam is an application framework designed specifically for JavaEE applications. It integrates extremely well with JSF and EJBs, as well as other Java technologies, such as Spring and Hibernate. Seam handles dependency injection as well as dependency "outjection" of various components, making it easy to assemble application services. The result? The overhead and time-to-market for JavaEE applications is drastically reduced. Seam is as close to Rapid Application Development (RAD) as I've ever seen when it comes to Java applications. And, the code generation tools included with the Seam distribution make project development even faster.

One of the most interesting tools included with Seam is seam-gen. The seam-gen utility has the ability to generate a complete project structure for Eclipse or NetBeans, simply by running Ant and answering a few questions about the overall structure of your application. Deployment descriptors, a basic interface and project files are automatically generating using the parameters you supply. In addition, you can even generate data models from an existing SQL database. All you need to do is supply the necessary connection parameters.

If you are looking for an application framework that allows you to develop robust applications very quickly, make sure you take a look at Seam. In addition, I highly recommend downloading JBoss Tools. JBoss Tools is a group of Eclipse plugins for working with JBoss, Seam, Hibernate, and other Java technologies. Getting started with Seam in Eclipse is as simple as creating a new "Seam Plugin" and following the wizard. All of the necessary files, projects, and basic classes are created for you automatically.

I'm still experimenting and getting familiar with Seam myself, but will sure to post a tutorial in the near future. In the meantime, here are a few good articles explaining Seam a bit further.