Wednesday, November 14, 2012

Example Shiro setup w/o database backing in grails


When we decided to implement Shiro for our roles based authentication and authorization in our grails app we were initially excited but it turned into a real beast to get into our system. The biggest problem was getting it to work on a system that uses api calls and doesn't directly access the database to auth users.  There was no good example or documentation for this approach out there so it was difficult.  Here are the basics to how we solved it.

First we added some beans to the applicationContext.xml


<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
   <property name="securityManager" ref="securityManager"/>
   <!-- override these for application-specific URLs if you like:-->
   <property name="loginUrl" value="/"/>
   <property name="successUrl" value="/search/newSearch"/>
   <property name="unauthorizedUrl" value="/unauthorized.jsp"/>
   <!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean  -->
   <!-- defined will be automatically acquired and available via its beanName in chain        -->
   <!-- definitions, but you can perform instance overrides or name aliases here if you like: -->
        <property name="filters">
            <map>
                <entry key="authc">
                    <bean class="org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter"/>
                </entry>
            </map>
        </property>
   <property name="filterChainDefinitions">
       <value>
           # some example chain definitions:
           /search/** = authc
           /session/** = anon
           /internal/** = anon
           /** = anon
           # more URL-to-FilterChain definitions here
       </value>
   </property>
</bean>

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
   <!-- Single realm app.  If you have multiple realms, use the 'realms' property instead. -->
   <property name="realm" ref="exampleRealm"/>
   <property name="cacheManager" ref="shiroCacheManager"/>
   <!-- By default the servlet container sessions will be used.  Uncomment this line
        to use shiro's native sessions (see the JavaDoc for more): -->
   <!-- <property name="sessionMode" value="native"/> -->
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

<bean id="allCredentialsMatcher" class="org.apache.shiro.authc.credential.AllowAllCredentialsMatcher" />

<!-- Define the Shiro Realm implementation you want to use to connect to your back-end -->
<!-- security datasource: -->
<bean id="exampleRealm" class="com.ourcompany.otherstuff.ExampleRealm" >
<property name="accountDomain" >
<ref bean="accountDomain" />
</property>
<property name="credentialsMatcher">
<ref local="allCredentialsMatcher" />
</property>
<property name="authorizationCacheName">
<value>shiroAuthCache</value>
</property>
</bean>

<bean id="ehCacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
<property name="configLocation">
            <value>/WEB-INF/ehcache.xml</value>
        </property>
</bean>

<bean id="shiroCacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManager" ref="ehCacheManager"/>
</bean>

<bean id="permissionLoader" class="com.ourcompany.otherstuff.permission.PermissionLoader" init-method="load">
<constructor-arg ref="shiroCacheManager" />
</bean>


In the web.xml we added the following:



<!-- The filter-name matches name of a 'shiroFilter' bean inside applicationContext.xml -->
<filter>
   <filter-name>shiroFilter</filter-name>
   <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   <init-param>
       <param-name>targetFilterLifecycle</param-name>
       <param-value>true</param-value>
   </init-param>
</filter>

<!-- Shiro mapping should go first so it can function in the next ones -->
<filter-mapping>
   <filter-name>shiroFilter</filter-name>
   <url-pattern>/*</url-pattern>
   <!--dispatcher>REQUEST</dispatcher> 
   <dispatcher>FORWARD</dispatcher> 
   <dispatcher>INCLUDE</dispatcher> 
   <dispatcher>ERROR</dispatcher-->
</filter-mapping>
    <filter-mapping>
        <filter-name>charEncodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>sitemesh</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>



Then we created some classes


The PermissionLoader class basically extended from ApplicationContextAware a springframework class.  It set the cachemanager in the constructor and in the load() method it got the permissions cache and filled it with our permissions listed in a config file.

The heavy hitter here was the ExampleRealm class.  That class is defined as such

class ExampleRealm extends AuthorizingRealm {

public ExampleRealm() {
setName( "ExampleRealm" )
}
@Override
boolean supports( AuthenticationToken token ) {
return true;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authToken ) throws AuthenticationException {
        // this method returns an authorized user as a valid AuthenticationInfo object else it throws an exception
       }

public boolean isPermitted(PrincipalCollection principals, Permission permission) {
             // returns whether the user specified in principals has the passed in permission
        }

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
              // returns a user object as an AuthorizationInfo with their permissions filled in
        }

After that and that was a bunch.  We created a UserService and we defined the auth method something like this:
    def authenticate( email, password ) throws AuthenticationException {
        def authToken = new UsernamePasswordToken(username, password )
        // Perform the actual login. An AuthenticationException
        // will be thrown from ExampleRealm  if the username is unrecognised or the
        // password is incorrect.
        SecurityUtils.subject.login(authToken)
    }


Finally the jsps

After all that we were able to use things like the cool jsp tags like
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>

<shiro:authenticated>
<shiro:hasPermission name="Identity:Update:Module">

Good luck out there and stay strong don't let Shiro beat you!


RVM is the only way to do Ruby development

We use apps that require different versions of Ruby and holy hell it'd be a bitch keeping it all straight without rvm.  I recently setup my rvm environment at that is really the only way to reliably run our stuff.

Start here by going to the rvm install page we need 1.9.3 and 1.8.7 here.  One runs our test cases and the other is for using puppet.  Once you get the latest rvm installed be sure to do an

"rvm install 1.9.3"

and an

"rvm install 1.8.7"

One thing we did here too was setup a separate gemset for our puppet app.  You can do that by typing

"rvm gemset create <gemset-name>"

then when you want to use 1.8.7 with say your puppet gemset just do this

"rvm use 1.8.7@puppet"

This is a great way to keep your gems clean and separate.

Friday, October 19, 2012

Git pulls were taking forever on my new VirtualBox running Ubuntu.  I'm doing git over ssh and it turns out if you edit the /etc/ssh/ssh_config file( save a copy first ) and change GSSAPIAuthentication to no that speeds it right up.

Originally saw this here

Wednesday, October 3, 2012

Performing a screen capture on a linux box remotely

I was having a tough time running some functional tests against Firefox using Xvfb on our Jenkins machine here at work. I couldn't figure out why the tests were dying.  I looked up how to do a screen capture and went to some page that suggested an xvd command well we didn't have that installed on our box but we did have ImageMagick.  Turns out you can run an import command to take captures for you and save them to a file.  Then you can scp them off the machine.

The simple command is:

import -window root screenshot.png

Here's more info if you need it.

http://www.imagemagick.org/script/import.php

Grails 2 sample tomcat security policy file

We've been working on a new project at work.  Using Grails after an exhaustive search for a new platform.  And it was my duty to lock it up with a security policy file. It took some doing.  I ended up using VirtualBox to install Ubuntu on my Win7 box to simulate our deployment environment better.  It took some doing but in the end it was best to start with the default catalina.policy file and add to it. So we created our own security.policy file and started with the defaults then we added below and now it works!  Took forever.  Hope this helps someone.


grant codeBase "file:${example.webapp.root}/WEB-INF/-" {
 permission java.io.FilePermission "${example.webapp.root}${/}-", "read";
 permission java.io.FilePermission "${/}WEB-INF${/}-", "read";
 permission java.io.FilePermission "${example.java.home}${/}..${/}-", "read";
 permission java.io.FilePermission "${example.catalina.home}${/}log${/}-", "read,write,delete";
 permission java.io.FilePermission "velocity.log", "read,write,delete";
 permission java.lang.RuntimePermission "modifyThread";
 permission java.lang.RuntimePermission "accessDeclaredMembers";
 permission java.lang.RuntimePermission "setContextClassLoader";
 permission java.lang.RuntimePermission "accessClassInPackage.*";
 permission java.lang.RuntimePermission "reflectionFactoryAccess";
 
 permission java.util.PropertyPermission "*", "read";
};




grant codeBase "file:${file.separator}groovy${file.separator}script" {
        // grails 1.1 + jdk 1.6.0_13
    permission java.lang.RuntimePermission "defineClassInPackage.java.io";
    permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
    permission java.lang.RuntimePermission "defineClassInPackage.java.net";
    permission java.lang.RuntimePermission "defineClassInPackage.java.util";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    permission java.util.PropertyPermission "grails.env", "read";


};


grant {
        // basic grails stuff incl. groovy magic
    permission groovy.security.GroovyCodeSourcePermission "${file.separator}groovy${file.separator}script";
    permission java.io.FilePermission "file:${example.webapp.root}${file.separator}WEB-INF${file.separator}grails-app${file.separator}-", "read";
    permission java.io.FilePermission "${file.separator}groovy${file.separator}script", "read";
    permission java.lang.RuntimePermission "accessClassInPackage.*";
    permission java.lang.RuntimePermission "accessDeclaredMembers.*";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "defineClassInPackage.*";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.lang.RuntimePermission "shutdownHooks";
    permission java.lang.RuntimePermission "stopThread";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    permission java.util.PropertyPermission "*", "read,write";
    permission java.util.PropertyPermission "ANTLR_DO_NOT_EXIT", "read";
    permission java.util.PropertyPermission "ANTLR_USE_DIRECT_CLASS_LOADING", "read";
    permission java.util.PropertyPermission "groovyjarjarantlr.ast", "read";
    permission java.util.PropertyPermission "groovy.ast", "read";
    permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory.HashtableImpl", "read";
    // grails 1.1
    permission java.io.FilePermission "file:${example.webapp.root}${file.separator}WEB-INF${file.separator}grails-app${file.separator}*", "read";
    permission java.lang.RuntimePermission "setIO";


    // grails 1.1: various jars incl ant use ${file.separator}bin${file.separator}env
    permission java.io.FilePermission "${file.separator}bin${file.separator}env", "read,execute";
};




grant {
 permission java.net.SocketPermission "*", "accept,connect,resolve,listen";
 permission java.util.PropertyPermission "*", "read";
 permission javax.management.MBeanPermission "*", "registerMBean";
 permission javax.management.MBeanPermission "*", "invoke";
 permission javax.management.MBeanPermission "*", "getAttribute";
 permission javax.management.MBeanPermission "*", "queryMBeans";
 permission javax.management.MBeanPermission "*", "queryMBeans";
 permission java.lang.RuntimePermission "accessDeclaredMembers", "";
 permission java.lang.RuntimePermission "getenv.*", "";
};

Sharing engineering resources with oversight

Our team recently loaned out engineers to another team in need. Apparently the other team is burried in work. In order to make sure their time was used efficiently we also attached a Lead to the loan. The lead was able to shoot down a few ideas that were over designed and not making good use of public libraries already available.

Thought it was a great idea adding the lead

Unit tests getting an NPE on build.properties in Eclipse

Make sure you have run a build all in eclipse. Project -> Build All. Also make sure you have changed your build path and removed the "exlude *.*" from all the sections of the Source tab

Getting Pidgin to work w/Google Talk for your own domain

What a pain in the arse. I use gmail to host my own domain and getting Pidgin to work with it took a little extra effort.

Click Accounts -> Manage Accounts -> Add

Protocol: XMPP
Username: <username>
Domain: <your-domain>
Resource: Home
Password: <password>

Click Advanced Tab.
Check Force old(port 5223)SSL
Connect port: 443
Connect server: talk.google.com

Html Checkboxes

I always have trouble passing checkboxes to the server and I always forget how to do it again later. For this example we have a check boxe for the field Master . We are calling setters on the server in a Criteria object.

-In the Criteria Object

void setMaster( Boolean master ) {
this.master = master;
}
Boolean getMaster() {
return this.master;
}

-In the velocity page

<input type="checkbox" name="criteria.master" value="true">

This ensures we send true when the checkbox is checked, instead of the default "on"
If the checkbox is not checked we send nothing to the server Criteria object.

Concat/append json

This was a tough nut to crack. I scoured the internet for about an hour. This solution owes a thanks to Nikhil Dvivedi. The Javascript master.

var langObj = {
 a : one,
 b: two
}

var langObj2 = {
 c:three,
 d:four
}

for( var key in langObj2 ) {
 langObj[ key ] = langObj2[ key ];
}

langObj2 will be:
{
 a:one,
 b:two,
 c:three,
 d:four
}
If you want to get see the unicode codes of a regular varchar2 field on select in your oracle database you need to do this.

select ASCIISTR(name) from entity_table

this will display codes like this:

\30AF\30E9\30C3\30B7\30E5\30FB\30D0\30F3\30C7\30A3\30AF\30FC

instead of this:

クラッシュ・バンディクー ( actually it's a row of blocks in the oracle client )