Saturday, June 26, 2010

SSO, Pre Authentication & Spring Security 2.0.x

The Spring Security 2.0.x documentation does a great job of explaining:
  • how the pre-authentication concept ties in with SSO systems,
  • what classes are offered out-of-the-box,
  • and how to configure them
but it doesn't explicitly state how the the preAuthN Provider is reading the authentication data accumulated by the preAuthN Filters.

One would imagine that there would be a default UserDetailService implementation as well, which can be configured with the preAuthN Provider but if you go looking into the UserDetail package summary, there is no such thing.

What to do? Well if we look closer, the AuthenticationUserDetailsService interface in the org.springframework.security.userdetails package is implemented by PreAuthenticatedGrantedAuthoritiesUserDetailsService which sits in the org.springframework.security.providers.preauth package.

This works out well but the spring documentation offers a "Siteminder Example Configuration" where they place the UserDetailsByNameServiceWrapper inside the preAUthN user details service and PreAuthenticatedGrantedAuthoritiesUserDetailsService is nowhere to be seen ... so it can seem a bit confusing as to how it should be used or where it should be specified.

I found my a clue through this forum entry and apparently PreAuthenticatedGrantedAuthoritiesUserDetailsService can be specified as the class attribute of the preAuthenticatedUserDetailsService property ... and the use of an UserDetailService is strictly optional depending on whether or not one needs to pull anymore information about the user.

That's all folks, hope this sends you on your way to a successful integration.

Wednesday, June 23, 2010

Ramp Up on Spring Security 2.0.x

  1. What allows web.xml to leverage spring style configuration for Spring Security?
    Configuring a DelegatingFilterProxy in web.xml links the two together.

  2. How does Spring Security simplify the use of DelegatingFilterProxy?
    Usually we would have to create a Filter and then configure it by naming its bean the same as the filter-name for DelegatingFilterProxy. BUT instead the process is simplified if we provide springSecurityFilterChain as the filter-name and use the <http/> configuration element, which auto creates a default springSecurityFilterChain for us.

  3. Are the positions for the standard Filters in Spring Security always fixed?
    Yes.

  4. What does the concept of "authentication mechanism" refer to in Spring Security?
    It refers to collecting authentication credentials/details from a user agent (usually a web browser).Examples are form-based login and Basic authentication. Once the authentication details have been collected from the user agent, an Authentication "request" object is built and then presented to the AuthenticationManager.

  5. What is the function of an AuthenticationProvider?
    An AuthenticationProvider takes an Authentication request object and decides whether or not it is valid and then it will either throw an exception or return a fully populated Authentication object. Most AuthenticationProviders will ask a UserDetailsService to provide a UserDetails object. The resultant UserDetails object - and particularly the GrantedAuthority[]s contained within the UserDetails object - will be used when building the fully populated Authentication object.

  6. What is the function of an AuthenticationManager? What are its benefits?
    An AuthenticationManager is responsible for passing requests through a chain of AuthenticationProviders. Each Provider will be fed its respective "authentication mechanism" counter-part and proceed to validate the request, therefore, having a chain allows us to support various forms of authentication.

  7. What is the purpose of the <security:custom-authentication-provider/> element?
    AuthenticationProvider bean definitions can be marked for addition to the list maintained by AuthenticationManager using the <custom-authentication-provider/> element.

  8. What is the major difference between the configuration for spring-security 3.0.x vs 2.0.x?
    TBD

  9. How/Where does SecurityContextHolder store details of the principal currently using the application?
    By default, it uses a ThreadLocal to store these details. But you can choose between one the following modes:
    • SecurityContextHolder.MODE_GLOBAL
    • SecurityContextHolder.MODE_INHERITABLETHREADLOCAL
    • SecurityContextHolder.MODE_THREADLOCAL (default)
  10. What can be used for storing a SecurityContext between HTTP requests?
    HttpSessionContextIntegrationFilter

  11. What is the function of a ChannelProcessor?
    A ChannelProcessor will review the request, and if it is unhappy with the request (e.g. if it was received across the incorrect transport protocol), it will perform a redirect, throw an exception or take whatever other action is appropriate.

  12. How do you decide whether a security check belongs in a ChannelProcessor or an AccessDecisionVoter?
    ChannelProcessor is designed to handle unauthenticated requests, whereas AccessDecisionVoter is designed to handle authenticated requests.

  13. Question TBD
    Answer TBD

Saturday, June 12, 2010

Multiple Row Filters for JTable

When using the JTable from Java's swing UI, one might often come across a requirement when data filters need to be combined to offer results from searching multiple columns ... the Java Tutorials cover the simple stuff but they don't talk about combining filters! What to do? You can just hit the javadocs and put the pieces together OR after you've read the simple stuff, just try this and it should work like magic:

RowFilter<TableModel, Object> firstFiler = null;
RowFilter<TableModel, Object> secondFilter = null;
List<RowFilter<TableModel,Object>> filters = new ArrayList<RowFilter<TableModel,Object>>();
RowFilter<TableModel, Object> compoundRowFilter = null;
try {
    firstFiler = RowFilter.regexFilter(yourRegexString, columnIndex);
    secondFilter = RowFilter.regexFilter(yourRegexString, columnIndex);
    filters.add(firstFiler);
    filters.add(secondFilter);
    compoundRowFilter = RowFilter.andFilter(filters); // you may also choose the OR filter
} catch (java.util.regex.PatternSyntaxException e) {
    return;
}
sorter.setRowFilter(compoundRowFilter);
Easy Huh?

Wednesday, June 9, 2010

Ramp Up on Java

When I decided to take my SJCP exam, I choose this book as my "blind date" ... and after I finished reading it cover-to-cover, I felt that there couldn't possibly have been a better choice. It was amusing, engaging and insightful ... all the things I wouldn't expect from a book preparing me for what I thought was a run-of-the-mill test.

If you decide to ahead with taking the SCJP exam then (a) expect satire from your co-workers, (b) a tip-of-the-hat from your manager and friends, and finally (c) extra meaningless hits from recruiters assuring you that you're qualified for some position but have no idea what the project is about.

Ah! But most importantly, if you love java, expect to feel smarter and blissfully satisfied =)

Anyway hats off to the folks who put the book together ... Now, without any claims of any ties to them, this blog posting is my meager attempt at putting together a quick review.


  1. What is an Interface? It is a contract which the classes implementing it must abide by.
  2. What is an Abstract Class? It is a class with the abstract modifier placed before it. Any other class which inherits from an abstract class must provide implementations for its methods. Or Else? The code will not compile.
  3. Can a regular class have abstract methods? No, the class must be an abstract class to define abstract methods.
  4. Does having abstract methods make a regular class abstract? Stupid question, given what we just established.
  5. Are all the methods inside an abstract class considered abstract by default? No, they need to be explicitly marked as abstract.
  6. Why would you use an abstract class? Unlike an Interface whose methods cannot have a body defined for its methods, abstract classes allow you to have non-abstract methods which can provide default functionality for its child classes to inherit while providing specific implementations of their own for the abstract methods of their parent. In such a use case an abstract class can be useful.
  7. What has higher visibility? package or protected? The protected level access provides higher visibility.
  8. Does the order in which exceptions are caught in a try-catch block matter? Yes it does. You can't even compile code where a more specific exception gets caught after a more generic one ... because then that piece of code is unreachable which is not something that any compiler would look down upon kindly.
  9. What method allows a thread to give up control of the current synchronized context/object/monitor immediately? The wait() method.
  10. What about notify() or notifyAll()? Regardless of which line they are placed on inside the synchronized block, these methods run/take-effect after the rest of the code in the sync-block has finished executing.
  11. Can the notifyAll() method control the order in which the waiting candidates get notified? Nope.
  12. What is the significance of a final class? It cannot be extended.
  13. What is the significance of a final method? It cannot be overriden in a child class.
  14. What is the significance of a final variable? The reference cannot be changed after it is set.
  15. Can an anonymous class be declared as both extending a class and implementing an interface? Nope, it can only do one of the two at a time.
  16. What is the finalize() method all about? This method is guaranteed to be called once by Java's GC at least, after it determines that an object has no more active references left.
  17. What would be one reason for avoiding the use of the finalize() method all together? Since this method is called only once ... for an object that already had it called once but did not ultimately get garbage collected for some reason ... there is no guarantee that this method will be visited again the next time the GC decides to consider that object for recycling. So relying on this method for some sort of predictable behavior would be ill advised.
  18. What are the different generations of the GC? Basically there are: young, tenured and permanent generations. They are just memory pools holding objects of different ages. Garbage collection occurs in each generation when the generation fills up.
  19. What is the scope/monitor of a static sync method? It locks-on/monitors the class.
  20. Can a static sync method and a non-static sync method butt-heads for locks? No ... one locks the class itself object whereas the other locks an instance object.
  21. Which collection would you use for unique entries? Any implementation of Set.
  22. What is a good collection for only inserting/appending tons of data? Think about ArrayList vs LinkedList?
  23. What about retrieval? Hmm ... HashMap?
  24. What does the join() method do? It puts the current thread in a blocking-mode where it waits for the other thread ... on which the join was invoked ... to finish running.
  25. What is the purpose of WeakReference
  26. What is a ReentrantLock all about?
  27. What are class loaders all about? link1 link2
  28. What is the difference between Enumerators and Iterators?
  29. What happens if a thread is using an iterator and another one tries to insert into the underlying list? ConcurrentModificationException should be thrown.
  30. If a thread t locks a particular monitor multiple times ... will an unlock reverse the effect of all the lock operations? No ... each unlock reverses the effect of one lock operation.
  31. Can elements be removed while traversing a list via an iterator in a single threaded environment? Yes, the remove() method guarantees safe-same-thread deletion.
  32. Can the remove() method be used safely with the new for-loop style introduced in Java 5? Nope.
  33. Why are thread pools useful? A common type of thread pool where we have a fixed number of threads running allows application to degrade gracefully. Rather than try to do much and crashing ... an application can service the fixed/maximum requests that its hardware can handle/sustain in a predictable fashion.
  34. What is the purpose of the volatile keyword? It is similar to asking the Java runtime to provide a guarantee that all the reads on the given variable are synchronized by forcing the threads to always read-from/stay-in-sync-with the master copy. Reads and writes are atomic for all variables declared volatile. Using volatile variables reduces the risk of memory consistency errors, because any write to a volatile variable establishes a happens-before relationship with subsequent reads of that same variable. This means that changes to a volatile variable are always visible to other threads.
  35. What is the ideal # of threads that should be used on a machine with N cores? Umm...(n+1)/2 ?
  36. How do too many threads adversely affect a CPU intensive system? The context switching causes the thread-data to be loaded in & out of the chip level cache, this is an expensive overhead for hardware which is build around the precept of optimizing execution by retaining data in the chip level cache for the longest period possible.
  37. If the hashCode() and equals() methods are implemented properly for a given class, when can the equals() method return false even though the two objects being compared are equal? This happens when the classloaders for the two objects are different. For example: (a) in application servers, different application contexts (WARs) get their own separate classloaders, (b) two different classloaders can be in use for applications using RMI ... not so sure about this one ...
  38. How would you design your own GC in a language that had only objects? And how would you locate circular dependencies or islands?
  39. What happens when java classes are loaded into JVM? What is Java class file's magic number?