frank's homepage

I've been working on setting up another Drupal site on this server. Because of that I've installed the image module. Here's two images from skiing at Mt. Washington this weekend. The weather was pretty bad with high winds on Saturday and low visibility both days, but all the fresh powder made up for it. :-)

The site was down for a couple days due to a power outage after the heavy snowfall on the west coast. My parents didn't have power from Sunday evening until Thursday morning and since the server is in their basement the site was down too.

I've been playing around some more with Lingo and hooking it together with Spring's Acegi Security framework.

It would be awesome if Object properties on JMS messages let you send arbitrary objects. Then it would be no problem to propagate the security context. But, of course it's not that easy.

Instead I subclassed the LingoRemoteInvocationFactory and LingoInvocation classes to create SecureLingoRemoteInvocationFactory and SecureLingoInvocation. The new invocation class propagates the client side SecurityContext's Authentication to the server. I could have also set this as an attribute on the normal RemoteInvocation class, but I thought a concrete class was nicer and avoids creating+serializing a Map.

To handle the authentication information on the server I introduced a Lingo HeaderMarshaller. It pulls out the Authentication object from the invocation and authenticates it with Acegi's authentication manager.

I also introduced a new SessionAuthenticationToken and a SessionAuthenticationCreator interface. If an implementation of that interface is provided to the header marshaller it will use it to create a new session for an authenticated client.

For response messages, if the server side authentication token is a SessionAuthenticationToken, then the header marshaller includes the session ID in response messages sent to the client. In the client side header marshaller I check for this session ID and create a new SessionAuthenticationToken based on it. This token is then used in future server communication and the server then authenticates based on a session ID.

This is working pretty well, but it seems like a lot of work to make this happen. I looked at Acegi's implementation of sessions and remember-me authentication, but unfortunately it's all based around HttpSession and Servlets.

The annoying part for Lingo was that the HeaderMarshaller interface provides a client-side method that includes the RemoteInvocation object. However, at that point a JMS ObjectMessage has already been created, so adding the Authentication as an attribute to the invocation at that point seems to be too late. At least for me I could not get it to work this way, so I had to subclass the RemoteInvocationFactory. However, I'm not sure why it shouldn't work just with the header marshaller, so I really need to look into this more.

If anyone has a better idea or some more insights (or actually reads this), please post a comment. :-)

I've been putting in some time for a little ninja project at work. The plan is to get rid of JBoss and switch to ActiveMQ, Spring Remoting with Lingo, Spring MDPs instead of MDBs and plain old Tomcat for the web apps.

So far I've removed JBoss and updated our proprietary command execution framework to use Lingo. I haven't really tested very much at all, but so far it's at least working good enough for me to load the server and log into our rich client.

In doing so I chose Lingo since it lets me use JMS for normal remote calls and for async calls. Previously our command execution framework internally used JMS for the async case, which required special handling. With Lingo I have one solution that does both, which is nice.

The downside to Lingo is that there is no proper integration with ACEGI security. There is some information on the web that claims a proper integration exists, but all they do is pass the authenticated username to the server in a JMS header. That is of course totally unacceptable since without secured queues/topics anyone could send any username. At the very least they could send username and credentials to force a re-authentication on every remote method invocation, which would be quite inefficient. It would be nicer if instead they passed the entire SecurityContext (which is what ACEGI does for standard Spring RMI remoting) and then use that to authenticate on the server. Ideally there would be a session, just like with ACEGI and Http remoting, so that we don't have to re-authenticate all the time.

I haven't look at Lingo/ACEGI in detail, but this is something I might attempt to do in future. For now I'm just passing around the SecurityContext and handling authentication in our proprietary framework outside of Lingo.

Anyway, overall the transition away from JBoss has been pretty smooth. I've been able to delete a ton of XML configuration files and code to deal with our own JMS remoting implementation. Lingo with ActiveMQ is much more straight forward to use and configure.

Hopefully soon I can get around to plugging in standard Tomcat and porting over our webapps. Of course I also have to do some performance testing along the way. :-)

I spent Friday and the weekend at NFJS in Seattle. Like last year GenoLogics decided to send most of the development team down for the conference. It was good times with the team and a lot of good speakers.

However, I thought the conference last year was better for me. It just didn't seem like there was that much new stuff this year. Last year we had Java 5, Ajax and Ruby on Rails -- all pretty new at the time. This year I was already familiar with all that, so I didn't have that many things to take away. The talks on Spring/Hibernate/SOA were also not very interesting since I'm already familiar with those technologies.

The talks that I enjoyed the most were two on JavaScipt (since I didn't know very much about the language) and the talk about the Java memory model. It's nice to talk about things at a detailed level and really get into it.

I also went to talks on Tapestry and JSF. I'm not a web guy, so this is always quite interesting. JSF didn't impress me at all, it seemed clunky and complicated. Tapestry on the other hand had a clean seperation of HTML and code. I'm still not sure if I was that impressed with either though.

Finally, it's funny that there wasn't a single talk on Ruby this year. Was it just a fad afterall?